ADWEA IMS IT MGMT PLC v1.14

Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE
X X X
INFORMATION SECURITY POLICY
Page 1 of 114
Approval Stamp.
Chairman:
Information Security Policy v1.0
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.

IT GOVERNANCE
X X X
Page 2 of 114
Approval Stamp.
Chairman:
Title Signature
Prepared By ADWEA information security
Reviewed By IMS Representative
Information Security Governance

Endorsed By
Committee
Endorsed By Director General
Approved By Chairman

IT GOVERNANCE
X X X
Page 3 of 114
Approval Stamp.
Chairman:
CHANGES HISTORY SHEET
Doc. Page New Issue Doc. Change

Change Summary of Change
No. Dated Request no.
No.

IT GOVERNANCE
X X X
Page 4 of 114
Approval Stamp.
Chairman:
INFORMATION SECURITY POLICY V1.0 .................................................................................................. 1

1 EXECUTIVE SUMMARY ............................................................................................................. 10
2 GENERAL APPLICABILITY .......................................................................................................... 10
3 IT POLICY ELEMENTS ................................................................................................................ 11
3.1. [ITD-IS-PL-001] INFORMATION SECURITY REQUIREMENTS POLICY .......................................................... 11
3.1.1 Policy summary ......................................................................................................................11
3.1.2 Applicability............................................................................................................................11
3.1.3 Background ............................................................................................................................11
3.1.4 Guiding principle ....................................................................................................................12
3.1.5 Detailed policy requirements ................................................................................................12
3.1.6 Responsibilities and accountabilities .....................................................................................14
3.1.7 Any References ......................................................................................................................15
3.2. [ITD-IS-PL-002] INFORMATION SECURITY RISK MANAGEMENT POLICY..................................................... 16
3.2.1 Policy summary ......................................................................................................................16
3.2.2 Applicability............................................................................................................................16
3.2.3 Background ............................................................................................................................16
3.2.7 Any References ......................................................................................................................20
3.3. [ITD-IS-PL-003] AWARENESS AND TRAINING POLICY ........................................................................... 21
3.3.1 Policy summary ......................................................................................................................21
3.3.2 Applicability............................................................................................................................21
3.3.3 Background ............................................................................................................................21

IT GOVERNANCE
X X X
Page 5 of 114
Approval Stamp.
Chairman:

3.3.7 Any References ......................................................................................................................23
3.4. [ITD-IS-PL-004] HUMAN RESOURCES SECURITY POLICY........................................................................ 24
3.4.1 Policy summary ......................................................................................................................24
3.4.2 Applicability............................................................................................................................24
3.4.3 Background ............................................................................................................................24
3.4.7 Any References ......................................................................................................................27
3.5. [ITD-IS-PL-005] COMPLIANCE POLICY ............................................................................................. 28
3.5.1. Policy summary ...................................................................................................................28
3.5.2. Applicability .........................................................................................................................28
3.5.3. Background..........................................................................................................................28
3.5.4. Guiding principle .................................................................................................................28
3.5.5. Detailed policy requirements ..............................................................................................30
3.5.6. Responsibilities and accountabilities ..................................................................................31
3.5.7. Any References....................................................................................................................31
3.6. [ITD-IS-PL-006] PERFORMANCE EVALUATION POLICY .......................................................................... 32
3.6.1. Policy summary ...................................................................................................................32
3.6.2. Applicability .........................................................................................................................32
3.6.3. Background..........................................................................................................................32

IT GOVERNANCE
X X X
Page 6 of 114
Approval Stamp.
Chairman:

3.6.7. Any References....................................................................................................................33
3.7. [ITD-IS-PL-007] INFORMATION ASSET MANAGEMENT POLICY ............................................................... 34
3.7.1. Policy summary ...................................................................................................................34
3.7.2. Applicability .........................................................................................................................34
3.7.3. Background..........................................................................................................................34
3.7.7. Any References....................................................................................................................38
3.8. [ITD-IS-PL-008] PHYSICAL AND ENVIRONMENTAL POLICY ..................................................................... 39
3.8.1. Policy summary ...................................................................................................................39
3.8.2. Applicability .........................................................................................................................39
3.8.3. Background..........................................................................................................................39
3.8.7. Any References....................................................................................................................46
3.9. [ITD-IS-PL-009] OPERATIONS SECURITY POLICY ................................................................................. 47
3.9.1. Policy summary ...................................................................................................................47
3.9.2. Applicability .........................................................................................................................47
3.9.3. Background..........................................................................................................................47

IT GOVERNANCE
X X X
Page 7 of 114
Approval Stamp.
Chairman:
3.9.7. Any References....................................................................................................................55

3.10. [ITD-IS-PL-010] COMMUNICATIONS POLICY ...................................................................................... 56
3.10.1. Policy summary ...................................................................................................................56
3.10.2. Applicability .........................................................................................................................56
3.10.3. Background .........................................................................................................................56
3.10.7. Any References ...................................................................................................................61
3.11. [ITD-IS-PL-011] ACCESS CONTROL POLICY ........................................................................................ 62
3.11.1. Policy summary ...................................................................................................................62
3.11.2. Applicability .........................................................................................................................62
3.11.3. Background .........................................................................................................................62
3.11.7. Any References ...................................................................................................................75
3.12. [ITD-IS-PL-012] THIRD-PARTY SECURITY POLICY ................................................................................ 76
3.12.1. Policy summary ...................................................................................................................76
3.12.2. Applicability .........................................................................................................................76
3.12.3. Background .........................................................................................................................76
3.12.7. Any References ...................................................................................................................82

IT GOVERNANCE
X X X
Page 8 of 114
Approval Stamp.
Chairman:
3.13. [ITD-IS-PL-013] INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE POLICY ............... 83
3.13.1. Policy summary ...................................................................................................................83
3.13.2. Applicability .........................................................................................................................83
3.13.3. Background .........................................................................................................................83
3.13.7. Any References ...................................................................................................................88
3.14. [ITD-IS-PL-014] INFORMATION SECURITY INCIDENT MANAGEMENT POLICY .............................................. 89
3.14.1. Policy summary ...................................................................................................................89
3.14.2. Applicability .........................................................................................................................89
3.14.3. Background .........................................................................................................................89
3.14.7. Any References ...................................................................................................................93
3.15. [ITD-IS-PL-015] INFORMATION SYSTEMS CONTINUITY PLANNING POLICY ................................................. 94
3.15.1. Policy summary ...................................................................................................................94
3.15.2. Applicability .........................................................................................................................94
3.15.3. Background .........................................................................................................................94
3.15.7. Any References ...................................................................................................................97
4. ROLES AND RESPONSIBILITIES .................................................................................................. 98

IT GOVERNANCE
X X X
Page 9 of 114
Approval Stamp.
Chairman:
5. EXCEPTIONS AND CONDITIONS .............................................................................................. 103

6. REFERENCES .......................................................................................................................... 104
7. DEFINITIONS .......................................................................................................................... 105
8. ACCEPTABLE USE POLICY SECTION: ........................................................................................ 107
8.1. POLICY SUMMARY ...................................................................................................................... 107
8.2. APLICABILITY ............................................................................................................................. 107
8.3. DETAILED POLICY REQUIREMENTS.................................................................................................... 107
8.3.1. General ..............................................................................................................................107
8.3.2. Antivirus (end point) Use policy ........................................................................................108
8.3.3. Password Use policy ..........................................................................................................108
8.3.4. Use of Intranet and Internet .............................................................................................109
8.3.5. Use of Email .......................................................................................................................110
8.3.6. Mobile Device Usage .........................................................................................................111
8.3.7. Clean Desk .........................................................................................................................112
8.3.8. Clear Screen.......................................................................................................................113
8.3.9. Voip ...................................................................................................................................113
8.3.10. Removable Media .............................................................................................................113
8.3.11. Compliance........................................................................................................................113
8.3.12. Acknowledgement of Receipt and Understanding ...........................................................114

IT GOVERNANCE
X X X
Page 10 of 114
Approval Stamp.
Chairman:
1 EXECUTIVE SUMMARY
We believe that Information Security is critical for establishing trust between our customers, business
partners, and employees. It is one of the fundamental requirements to ensure integrity and timely
availability of information for serving our customers efficiently and effectively, ensure legal
compliance and to prevent unauthorized access to our business systems and data.
This Information Security Policy is developed to define the appropriate use of computing and
communications resources. It addresses security aspects of the information stored on or transferred
via computers, networks, telephones or other communications devices, as well as the usage and
protection of the physical assets themselves. This policy applies to all employees and contracted
work force associated with ADWEA.
2 GENERAL APPLICABILITY
This policy is applicable to all ADWEA and its Group of companies information assets, including (but
not limited to) people , process and technology , unless specific overriding scopes are identified and
approved through additional policy / sub policy elements.

IT GOVERNANCE
X X X
Page 11 of 114
Approval Stamp.
Chairman:
3 IT POLICY ELEMENTS
3.1. [ITD-IS-PL-001] Information Security Requirements Policy
3.1.1 Policy summary
This policy protects the information used to conduct ADWEAs business and the systems that support
this information. The high-level objectives of this policy are:
Maintaining the confidentiality of sensitive information
Successful management of the information security risks within ADWEA.
Efficient management of information security process
Compliance with sector or national requirements
3.1.2 Applicability
3.1.3 Background
We believe that Information Security is critical for establishing trust between our customers, business
partners, and employees. It is one of the fundamental requirements to ensure integrity and timely
availability of information for serving our customers efficiently and effectively, ensure legal compliance
and to prevent unauthorized access to our business systems and data.
These polices provide information that communicates the direction to be followed in securing the
organization.

IT GOVERNANCE
X X X
Page 12 of 114
Approval Stamp.
Chairman:
3.1.4 Guiding principle
Information, software, infrastructure, people, locations, property, reputation, and intangible

services are critical business assets; security ensures confidentiality, integrity, availability, reliability,
and safety of these assets.
Security is provided in a manner that fully serves the business interest. The application of security
requirements is consistent with business requirements and adheres to industry best practices,
applicable laws and regulations.
Business assets are to be used only for authorized purposes.
ADWEAs management, its employees across its group of companies and information technology
service contractor are accountable for the protection of business assets received, created, or held
by, or on behalf of, ADWEA and its clients.
3.1.5 Detailed policy requirements
3.1.5.1 The Director General shall ensure that the information security policy, as well as guidelines
and standards, are utilized and acted upon by delegating the responsibility appropriately
down the line while remaining accountable.
3.1.5.2 The Director General must ensure the availability of sufficient training and information
material for all users, to enable the users to protect ADWEA's data and information systems.
3.1.5.3 The Information security policy shall be reviewed and updated annually or when necessary,
in accordance with principles described in NESA UAE Information Assurance Standards. This

IT GOVERNANCE
X X X
Page 13 of 114
Approval Stamp.
Chairman:
will ensure that it remains appropriate in the light of any relevant changes to the law,
organizational policies or contractual obligations
3.1.5.4 All important changes to ADWEA's activities, and other external changes related to the threat
level, shall result in a revision of the policy and the guidelines relevant to the information
security.
3.1.5.5 It is ADWEAs policy that the information it manages shall be appropriately secured to protect
against the consequences of breaches of confidentiality, failures of integrity or interruptions
to the availability of that information.
3.1.5.6 This information security policy provides management direction and support for information
security across the organization. Specific, subsidiary information security policies shall be
considered part of this information security policies and shall have equal standing.
3.1.5.7 This policy has been ratified by ADWEA and forms part of its policies and procedures. It is
applicable to and will be communicated to staff and other relevant parties.
3.1.5.8 To determine the appropriate levels of security measures applied to information systems, a
process of risk assessment shall be carried out for each critical services to identify the
probability and impact of security failures.
3.1.5.9 To manage information security within the organization an information security oversight
committee shall be established, chaired by a senior officer and comprising appropriate senior

IT GOVERNANCE
X X X
Page 14 of 114
Approval Stamp.
Chairman:
organizational managers. The objective of this group shall be to ensure that there is clear
direction and visible management support for security initiatives.
3.1.5.10 This oversight group shall promote security through appropriate commitment and adequate
resourcing.
3.1.5.11 An information security working party, comprising management representatives from all
relevant parts of the organization, shall devise and coordinate the implementation of
information security controls.
3.1.5.12 The responsibility for ensuring the protection of information systems and specific security
processes, shall be with the head of the department managing that information system.
3.1.5.13 Specialist advice on information security shall be made available throughout the
organization.
3.1.5.14 ADWEA will establish and maintain appropriate contacts with other organizations, law
enforcement authorities, regulatory bodies, and network and telecommunications operators
in respect of its information security policy.
3.1.5.15 The implementation of the information security policy shall be reviewed independently of
those charged with its implementation.
3.1.5.16 Violations of this policy, including failure to report non-compliance, can result in disciplinary
action as described in the exceptions process.
3.1.6 Responsibilities and accountabilities
3.1.6.1 Owner of the security policy - The Director General is the owner of the security policy (this
document). He delegates the responsibility for security-related decision making to the CISO
(Chief Information Security Officer) and the information security oversight committee . All
policy changes must be endorsed by the above committee.
3.1.6.2 Information security oversight committee- The role of the committee is primarily to
coordinate and facilitate information security initiatives and activities at the executive and

IT GOVERNANCE
X X X
Page 15 of 114
Approval Stamp.
Chairman:
senior management level and thus to enable ADWEA to optimize their information security
posture and minimize security risk.
3.1.6.3 CISO (Chief Information Security Officer) - The CISO holds the primary responsibility for
ensuring the management of information security.
3.1.6.4 Information owner- They are people or departments who are accountable for specific
information or information resources. They are primarily responsible for information
classifications , defining access rules and other security controls for the information assets
under their jurisdiction.
3.1.6.5 System owner- System owner are individuals or a department who are responsible for
implementing the defined controls and access to an information resource.
3.1.6.6 Users -Employees are responsible for getting acquainted with and to comply with the
policies.
3.1.6.7 Consultants and contractual partners- Contractual partners and contracted consultants must
comply with the information security policy. The information owner is responsible for
ensuring that this is implemented.
3.1.6.8 Internal Audit is authorized to assess compliance with this and other corporate policies.
3.1.7 Any References
Item Description

IT GOVERNANCE
X X X
Page 16 of 114
Approval Stamp.
Chairman:
3.2. [ITD-IS-PL-002] Information Security Risk Management Policy
To ensure that a current and complete information risk profile exists for technology, applications
and infrastructure within the enterprise.
Ensure that the entitys risk appetite and tolerance are understood, articulated and
communicated internally.
To ensure that these risks are treated in accordance with the information security requirements
and objectives of the entity which are aligned with the NESA requirements.
3.2.2 Applicability
3.2.3 Background
Entities owning, operating, and or maintaining Critical Information Infrastructure in UAE must
consider all relevant NESAs issuances and guidance about risk management when performing risk
assessment.
These entities are charged with protecting the confidentiality, integrity and availability of its
Information Resources as per NESA mandates. To accomplish this task, a formal Information Security
Risk Management Program has been established as a component of the ADWEAs Information
Security Program to ensure that ADWEA is operating with an acceptable level of risk. The Information
Security Risk Management Program is described in this Policy.
Effective enterprise governance and management of IT risk:

Always connects to business objectives
Aligns the management of IT-related business risk with overall enterprise risk management
(ERM) if applicable, i.e., if ERM is implemented in the enterprise
Balances the costs and benefits of managing IT risk

IT GOVERNANCE
X X X
Page 17 of 114
Approval Stamp.
Chairman:
Promotes fair and open communication of IT risk

Establishes the right tone from the top while defining and enforcing personal accountability for
operating within acceptable and well-defined tolerance levels
Is a continuous process and part of daily activities.
3.2.5.1 ADWEA will use the NESA IAS as its framework for managing its IT information security risks
by establishing the context, performing IT risk assessments, implementing risk treatments
and monitoring their implementation.
3.2.5.2 There will be a formal documented and approved process and procedure associated with the
Information Security risk assessment, treatment and monitoring for ADWEA.
3.2.5.3 The scope of the risk assessment, treatment and monitoring shall cover all the critical services
and their supporting functions based on the information asset classification (refer to asset
management policy).
3.2.5.4 Roles and responsibilities related to the overall Information Security risk management for
ADWEA shall be clearly defined and communicated.
3.2.5.5 Risk impact criteria, acceptance criteria and risk evaluation criteria shall be clearly defined
under risk management standards.
3.2.5.6 The Information Security risk management shall be integrated with the enterprise risk
management.
3.2.5.7 The Information Security risk management plan shall cover all the main elements as outlined
below.
3.2.5.7.1 Information Risk Identification- ADWEA shall apply the information security risk assessment
process to identify risks associated with the loss of confidentiality, integrity and availability
for its critical information assets by:
Defining clearly the scope of the risk assessment exercise.
Identifying critical business functions.
Identifying critical information systems supporting business critical functions within
the scope and boundary of the risk assessment.

IT GOVERNANCE
X X X
Page 18 of 114
Approval Stamp.
Chairman:
Identifying vulnerabilities related to the information and information systems.

Identify existing information security controls
Identifying threats and threat sources
Identifying the risk owners
And finally documenting the results of the risk identification.
3.2.5.7.2 Information Risk Analysis and Evaluation- Based on the risk identified, ADWEA shall do
a proper risk analysis and evaluation to identify and document the business impact of the
risk exposure. The following essentials should be considered.
Assess the potential consequences that would result if the identified risks were to
materialize by assessing the consequences of losses of confidentiality, integrity or
availability
Assess the realistic likelihood of the occurrence of the identified risks based on the
existing controls, identified vulnerabilities and threats.
Determine the overall levels of risk.
Document the results of the risk analysis
Establish priorities for treatment of the identified risks.
Share with national and sector authorities the results where applicable.
3.2.5.7.3 Information Risk Treatment ADWEA shall identify and plan appropriate risk treatment
for IT risks that have been assessed based on the following guidelines.
It shall consider the following risk treatment options and select one or more of them
for each of the risks that have been assessed during the Risk Assessment.
Risk Reduction Reducing the risk by applying security controls
Risk Retention Accepting the risk based on the entitys risk accepting criteria
established as per this policy.
Risk Avoidance Avoiding the activity or condition causing the risk.
Risk Transfer Transferring the risk to another party.
It shall identify all controls that are necessary to implement the information security
risk treatment option(s) chosen.
It will utilize the controls mentioned under the NESA IAS as a starting point for control
identifications and may expand on it.

IT GOVERNANCE
X X X
Page 19 of 114
Approval Stamp.
Chairman:
It will ensure that no controls are overlooked by producing the Statement of

Applicability for the risk treatment.
It will identify controls in addition to the controls suggested by NESA that may be
specific to the entity or the sector.
ADWEA shall then formulate a risk treatment plan which will clearly identify the
following.
Appropriate management actions
Resources required
Responsibilities and priorities for managing information security risks.
Target dates for implementation of the identified controls.
The document for the risk treatment plan.
3.2.5.7.4 Monitoring of Information security risk management ADWEA shall plan and document
the process for the review and update of the risk assessment and treatment; this shall
include planned reviews and updates as well as ad hoc updates if significant changes occur.
ADWEAs monitoring and review processes shall encompass all aspects of the risk
management process and shall take account of changes in:
A. The entity itself
B. Technology used
C. Business objectives and processes
D. Risk criteria and the risk assessment process
E. Assets and consequences of losses of confidentiality, integrity or availability
F. Identified threats
G. Identified vulnerabilities
H. Effectiveness of the implemented controls
I. External events, such as changes to the legal or regulatory environment, changed
contractual obligations, and changes in social climate.
ADWEA shall monitor security incidents that might trigger the risk assessment
process.
Responsibilities for monitoring and review shall be clearly defined and documented.

IT GOVERNANCE
X X X
Page 20 of 114
Approval Stamp.
Chairman:
3.2.5.7.5 Communication of Information security risks- ADWEA shall communicate and consult
risk information obtained during and after risk management activities with all
stakeholders involved.
It will establish and use a formal risk communication plan for communicating risk
information with key stakeholders including decision-makers within the entity during
all stages of the risk management process.
As per the Roles and Responsibilities section mentioned at the end of the overall Information
security policy.
Item Description

IT GOVERNANCE
X X X
Page 21 of 114
Approval Stamp.
Chairman:
3.3. [ITD-IS-PL-003] Awareness and Training Policy
This policy specifies an information security awareness and training program to inform and motivate all
workers regarding their information security obligations.
3.3.2 Applicability
This policy is applicable to all ADWEA and its Group of companies information assets, including (but not
limited to) people , process and technology , unless specific overriding scopes are identified and
3.3.3 Background
Technical security controls are a vital part of our information security framework but are not in
themselves sufficient to secure all our information assets. Effective information security also requires
the awareness and proactive support of all workers, supplementing and making full use of the technical
security controls. Lacking adequate information security awareness, workers are less likely to recognize
or react appropriately to information security threats and incidents. Whereas awareness implies a
basic level of understanding about a broad range of information security matters, training implies
more narrowly-focused and detailed attention to one or more specific topics. Training tends to be
delivered through classroom or online courses, while awareness tends to be delivered by multiple
communications methods such as seminars, case studies, written briefing and reference materials ,
posters and conversations. Awareness provides the foundation level of knowledge and understanding
for training to build upon.
In order to protect information assets, all workers must be informed about relevant, current
information security matters, and motivated to fulfill their information security obligations.
3.3.5.1 An information security awareness program shall ensure that all workers achieve and
maintain at least a basic level of understanding of information security matters, such as

IT GOVERNANCE
X X X
Page 22 of 114
Approval Stamp.
Chairman:
general obligations under various information security policies, standards, procedures,

guidelines, laws, regulations, contractual terms and plus generally held standards of ethics
and acceptable behavior.
3.3.5.2 Additional training is mandated for workers with specific obligations towards information
security that are not satisfied by basic security awareness, for example Information Risk and
Security Management, Security Administration, Site Security and IT/Network Operations
personnel. Such training requirements must be identified in workers personal training plans
and funded accordingly. The training requirements will reflect workers relevant prior
experience, training and/or professional qualifications, as well as anticipated job needs.
3.3.5.3 Security awareness and training activities shall commence as soon as practicable after
workers join the organization, for instance through attending information security
induction/orientation classes. The awareness activities shall continue on a continuous/rolling
basis thereafter in order to maintain a reasonably consistent level of awareness.
3.3.5.4 Where necessary and practicable, security awareness and training materials should suit their
intended audiences in terms of their styles, formats, complexity, technical content etc.
Everyone needs to know why information security is so important, but the motivators may
be different for workers concerned only about their own personal situations or managers
with broader responsibilities to the organization and their staff.
3.3.5.5 A centralized Information Security location shall be the focal point for security awareness,
providing information and guidance on a wide variety of information security matters. It is
the definitive source of current information security policies, standards, procedures and

IT GOVERNANCE
X X X
Page 23 of 114
Approval Stamp.
Chairman:
guidelines. However, workers with limited intranet access must also be kept suitably
informed by other means such as seminars, briefings and courses.
3.3.5.6 Information security awareness trainings shall be measured for effectiveness using
awareness training test results and other supporting metrics.
3.3.6.1 The Director General is accountable for running an effective information security awareness
and training program.
3.3.6.2 The Chief Information Security Officer is responsible for managing an effective information
security awareness and training program.
3.3.6.3 Concerned training department is responsible for running security awareness and training
related activities.
3.3.6.4 IT Help/Service Desk is responsible for helping workers on basic information security
guidance.
3.3.6.5 Managers are responsible for ensuring that their staff and other workers within their remit
participate in the information security awareness, training and educational activities where
appropriate.
3.3.6.6 Workers are personally accountable for complying with the information security related
policies or processes and any training and awareness programs conducted by ADWEA.
Item Description

IT GOVERNANCE
X X X
Page 24 of 114
Approval Stamp.
Chairman:
3.4. [ITD-IS-PL-004] Human Resources Security Policy
To increase ADWEAs assurance that personnel will contribute positively to the information security
posture of ADWEA by understanding their responsibilities and ensuring they are suitable for their role.
To address security requirements for each phase of the employment, contract or agreement lifecycle,
supporting HR processes such as employment, change of employment or termination.
3.4.2 Applicability
approved through additional policy / sub policy elements
3.4.3 Background
As cited in a variety of sources, people are often described as the weakest link in any security system.
It is important to build security into the entire Human Resource (HR) process, from pre-employment,
during employment, and through termination, to ensure that policies and procedures are in place to
address security issues. Consistent training throughout the entire process ensures that employees and
contractors are fully aware of their roles and responsibilities and understand the criticality of their
actions in protecting and securing both information and facilities.
An organization's data must be protected from unauthorized access, disclosure, modification,

destruction or interference. For this to happen, the management of human resources related security
and privacy risks needs to be addressed through an appropriate security policy which ensures
adherence to secure best practices for the complete employment lifecycle within the organization.

IT GOVERNANCE
X X X
Page 25 of 114
Approval Stamp.
Chairman:
3.4.5.1. PRIOR TO EMPLOYMENT

3.4.5.1.1. Pre-hire screening shall be performed for all ADWEA employees, contractors,
and third party users prior to hiring based on a defined background verification check
process in accordance with relevant laws and regulations.
Additional screening shall be performed for personnel accessing sensitive
information or critical facilities, or whatever deems necessary by the HR
department and/or hiring management.
The screening process should be repeated periodically for personnel holding
positions with considerable authority.
All personnel shall sign a confidentiality and/or a Non-Disclosure Agreement
prior to being granted access to information systems or assets
Standard information security terms and conditions shall be defined and
reviewed periodically for all ADWEA personnel, stating:
A. Personnel legal responsibilities and rights
B. Responsibilities for the classification of information and management of
ADWEA information systems and services handled by the employee
C. Responsibilities of personnel for handling information received from other
companies or external entities
D. Responsibilities of the ADWEA for handling of personal information
E. Responsibilities that are extended outside ADWEAs premises and outside
regular working hours
The standard information security terms and conditions shall be included in any
contract
ADWEA management shall ensure all personnel fully understand their relevant
information security terms and conditions
3.4.5.2. DURING EMPLOYMENT
ADWEA management responsibilities shall include ensuring that:

IT GOVERNANCE
X X X
Page 26 of 114
Approval Stamp.
Chairman:
A. All personnel are presented, on first access or during personnel orientation, relevant
information security policies and guidelines so as to be read and accepted.
B. All personnel are properly briefed on their information security roles and
responsibilities prior to being granted access to ADWEA information or information
system
C. All personnel comply with ADWEAs information security policies and procedures
D. All personnel skills and qualifications are continuously being evaluated and improved
in accordance with a set appropriate criteria
E. A disciplinary process shall be defined, communicated to all personnel and enforced
F. The disciplinary process shall be commenced only after verification that a security
breach has occurred
3.4.5.3. TERMINATION / CHANGE OF EMPLOYMENT
Employment termination or change of employment responsibilities shall be defined and
assigned emphasizing the communication in relation to ADWEA information security
(including confidentiality and property rights)
All ADWEA personnel shall return all of the organizations assets in their possession
upon termination of employment, contract or agreement
All personnel access to information and information systems shall be revoked upon
termination of their employment, contract or agreement, or adjusted upon change.
3.4.6.1 The Director General is accountable for enforcing an effective HR security policy across the
organization.
3.4.6.2 Chief Information Security Officer is responsible for developing and maintaining the HR
security policy (including this one), and ensure its working in conjunction with the HR process
owners.
3.4.6.3 HR Process Owners are responsible for ensuring that ADWEAs HR process and polices fully
incorporate the HR security policy elements outlined under this policy.
3.4.6.4 Employees are personally accountable for complying with the HR security related policies or
processes.

IT GOVERNANCE
X X X
Page 27 of 114
Approval Stamp.
Chairman:
3.4.6.5 Internal Audit is authorized to assess compliance with this and other corporate policies.
Item Description

IT GOVERNANCE
X X X
Page 28 of 114
Approval Stamp.
Chairman:
3.5. [ITD-IS-PL-005] Compliance Policy
3.5.1. Policy summary
To define compliance from the perspective of ADWEAs Information security policy and UAE IA
standards
To increase ADWEAs assurance that all ADWEAs information security requirements and externally
mandated requirements have been implemented and maintained where applicable throughout the
lifecycle.
3.5.2. Applicability
3.5.3. Background
A compliance policy facilitates the implementation of the associated controls to ensure ADWEA is
compliant at the entity, sector, and national levels.
3.5.4. Guiding principle
Important elements to consider when developing a compliance framework or policy include the
following (but not limited to it):
Awareness of relevant regulations/laws. (Do you know what you should follow?)
Awareness of relevant policies. (Do you know what organizational policies apply to
information use?)
Awareness of relevant contractual agreements. (Do you know what agreements your
organization has made that impose conditions on the use of data?)
Awareness of relevant standards or best practices. (Do you know what standards or best
practices your organization chooses to follow with respect to information use?)
Management of organizational records. (Do you know what you should keep and for how
long?)

IT GOVERNANCE
X X X
Page 29 of 114
Approval Stamp.
Chairman:
Awareness of how records are managed by your organization.

Approach to complying with each item. (Do you know what your organization is doing to
follow the law?)

IT GOVERNANCE
X X X
Page 30 of 114
Approval Stamp.
Chairman:
3.5.5. Detailed policy requirements
3.5.5.1. All ADWEAs legal and contractual compliance requirements, including at sector and national
levels, shall be identified and documented, specifying the consequences of not meeting each
compliance requirement.
3.5.5.2. ADWEA commits to comply with all national, sector and local laws and regulations for
information/cyber security
3.5.5.3. Execution of all Information security procedures and activities shall comply with ADWEAs
Information Security Policies and Processes.
3.5.5.4. Any perceived violations shall be reported to the site-specific information security focal point
as identified by ADWEA and appropriate actions shall be taken to mitigate the risks of non-
compliance.
3.5.5.5. All deviations from Information security policy at the site level shall be approved by ISGC.
3.5.5.6. Compliance audits shall be conducted only by resources identified by the Information
Security Governance Committee on an annual basis, and shall be carefully planned and
agreed upon when performed against Systems or assets.
3.5.5.7. Information consisting of vulnerabilities and potential non-compliance shall be considered as
confidential information and shall be treated accordingly.
3.5.5.8. Information concerning such vulnerabilities and non-compliance shall be shared only on a
need to know basis.
3.5.5.9. Information Security Governance Committee shall be informed of all potential vulnerabilities
and non-compliance issues on a regular basis and shall be accountable for providing adequate
resources to mitigate these issues.
3.5.5.10. Site specific security focal point of contact is responsible for informing CISO to communicate
with external customers or government entities .
3.5.5.11. Individual employees shall not share any potential vulnerabilities or non-compliance issues
externally (e.g.: to media, government or customers) or internally except to individuals or
roles identified by ISGC for this purpose.

IT GOVERNANCE
X X X
Page 31 of 114
Approval Stamp.
Chairman:
3.5.6. Responsibilities and accountabilities
3.5.6.1. As per the Roles and Responsibilities section mentioned at the end of the overall Information
security policy.
3.5.6.2. IS/Internal Audit is authorized to assess compliance with this policy. Typical responsibilities
include:
Define the audit criteria, scope and audit plan for each IS security audit.
Select auditors and conduct audits to ensure objectivity and the impartiality of the audit
process.
Ensure that the results of the audits are reported to relevant management
Document the audit program and the audit results
Ensure that the internal audit findings and subsequent corrective actions is effectively
implemented and recorded.
3.5.7. Any References
Item Description

IT GOVERNANCE
X X X
Page 32 of 114
Approval Stamp.
Chairman:
3.6. [ITD-IS-PL-006] Performance Evaluation Policy
To ensure that information security performance is measured, analyzed, evaluated and improved,
where necessary to meet changing risk factors and ADWEAs goals and objectives.
3.6.3. Background
Ongoing performance monitoring and evaluation is one of the major contributors to overall effective
and success information security operation within any entity. Therefore, ADWEA shall have an overall
framework for its monitoring and performance measurement activities.
For the measurement of information security performance and the effectiveness of the information
security management system. The organization needs to determine the following:
what needs to be monitored and measured, including information security processes and
controls.
the methods for monitoring, measurement, analysis and evaluation, as applicable, to
ensure valid results
when the monitoring and measuring is to be performed.
who would monitor and measure.
when are the results from monitoring and measurement analyzed and evaluated; and
who would analyze and evaluate these results

IT GOVERNANCE
X X X
Page 33 of 114
Approval Stamp.
Chairman:
3.6.5.1. Key security performance indicators shall be established by CISO and be reviewed and
approved by the Information Security Governance committee, to evaluate the performance
of ADWEAs Information security controls and the effectiveness of the IT security
management program in achieving business goals and objectives.
3.6.5.2. Annual compliance and operational audits shall identify and evaluate adherence to security
KPIs.
3.6.5.3. When risk factor changes (i.e. threats and vulnerabilities landscape changes) compliance and
operational audits shall identify and evaluate adherence to security KPIs.
3.6.5.4. All information security incidents shall be analyzed to determine ineffective security controls
and appropriate compensating controls shall be put in place.
3.6.5.5. Information Security Governance Committee shall outline performance improvement plans
based on successive progression of security controls maturity and in line with companys
goals and objectives.
3.6.5.6. Information Security Governance Committee shall monitor the implementation of
performance improvement plan on a regular basis.
3.6.6.1. As per the Roles and Responsibilities section mentioned at the end of the overall Information
security policy.
3.6.6.2. Internal Audit is responsible for assessing the performance of the Information security
program based on the KPIs set by the CISO and approved by the Information Security
Governance Committee.
Item Description

IT GOVERNANCE
X X X
Page 34 of 114
Approval Stamp.
Chairman:
3.7. [ITD-IS-PL-007] Information Asset Management Policy
To ensure that all information assets are properly classified and that the assets are appropriately
managed and protected throughout its lifecycle, as per their classification.
3.7.3. Background
An asset is defined as "an item of value". Asset management is based on the idea that it is important
to identify, track, classify, and assign ownership for the most important assets in your organization to
ensure they are adequately protected. Tracking inventory of IT hardware is the simplest example of
asset management. Knowing what you have, where it lives, how important it is, and who's responsible
for it are all-important pieces of the puzzle.
Similarly, an Information Asset is an item of value containing information. The same concepts of
general asset management apply to the management of information assets. To be effective, an overall
asset management strategy shall include information assets, software assets, and information
technology equipment.
An organization shall be able to know what physical, environmental or information assets it holds, and
can manage and protect them appropriately. Important elements to consider when developing an
asset management policy are:
Inventory (do you know what assets you have & where they are?)
Responsibility/Ownership (do you know who is responsible for each asset?)
Importance (do you know how important each asset is in relation to other assets?)
Establish acceptable-use rules for information and assets.

IT GOVERNANCE
X X X
Page 35 of 114
Approval Stamp.
Chairman:
Establish procedures for the labeling of physical and information assets.

Establish return of asset procedures (do you have an employee exit procedure?)
Protection (is each asset adequately protected according to how important it is?)
3.7.5.1. Ownership, Responsibility and Accountability of Assets

3.7.5.1.1. All stakeholders involved in the asset management lifecycle shall be made aware
of, and have access to, the Information asset management policy, processes and
procedures in place.
3.7.5.1.2. At each stage in the Information assets management lifecycle (procurement
through disposal), security requirements and business relevance shall be
considered.
3.7.5.1.3. Information Owners of such assets eg IT Hardware, Software, IT Data Stores etc
shall be identified and shall be accountable for the asset.
3.7.5.1.4. Information Owner shall ensure all Information assets are properly inventoried,
securely protected , reviewed and classified in line with the asset management
process of ADWEA.
3.7.5.1.5. Information owner shall also be responsible for:
a) Approving access to the Information asset.
b) Approving and reviewing security measures for Information assets.
c) Recommending additional controls or advising against controls in light of
system criticality.
d) Ensuring all legal requirements related to the Information asset are met.

IT GOVERNANCE
X X X
Page 36 of 114
Approval Stamp.
Chairman:
3.7.5.2. Information Asset Classification

3.7.5.2.1. When seeking to classify its information assets, ADWEA must develop a
consistent and Enterprise wide Data Classification Matrix.
3.7.5.2.2. The matrix should be used to validate that the classification level proposed is
appropriate to the potential impact.
3.7.5.2.3. Classification levels should be determined by the value of the information asset
and the potential harm were it to be disclosed.
3.7.5.2.4. Where the Information Owner has not defined it, and where it is not subject to
the application of a default classification level, the information assets
classification will default to Confidential unless and until the Information Owner
completes the exercise of classification.
3.7.5.2.5. Default classification levels must be specified for certain main types of
information asset as per asset classification process. ADWEA however is at liberty
to modify the classification of these information types, as used within its own
environment. However, where ADWEA intends to use a lower classification level
than identified , the Information Owner should be able to demonstrate an
informed and risk-oriented rationale for why this is appropriate.
3.7.5.3. Asset Inventory

3.7.5.3.1. Change management, risk management, resource management and business
continuity plans shall take into consideration assets criticality/business
relevance.
3.7.5.3.2. Maintenance of the Information asset inventory shall be facilitated in accordance
with the change management and risk management processes, to address
accurate updates of ADWEAs Information asset inventory list.
3.7.5.3.3. Asset Attributes such asset owner, asset custodianship, asset name, asset tag, IP
address, mac address, serial number, hardware/firmware version, operating
system version and patches, installed application software version and patches,
third-party application software version and patches, assets security

IT GOVERNANCE
X X X
Page 37 of 114
Approval Stamp.
Chairman:
requirements, assets business criticality, assets data classification and last

review date shall be recorded.
3.7.5.3.4. Automated mechanisms to help maintain an up-to-date, complete and accurate
asset inventory shall be employed wherever technically feasible.
3.7.5.3.5. System architecture/interconnection diagrams showing data flows, and physical
and logical segmentation shall be reviewed and updated at-least quarterly or
based on major updates or changes to the asset configuration.
3.7.5.3.6. Asset inventory shall be reviewed and updated at-least bi annual or based on
major updates or changes to the asset configuration.
3.7.5.3.7. Assets access restrictions shall be employed to support the protection
requirements for assets commensurate with asset criticality, security
requirements and level of risk to the business.
3.7.5.3.8. To mitigate the risk of media content degradation, three redundant copies should
be made, two local and one remote, to avoid risks of non-availability of critical
data.
3.7.5.4. Disposal/Destruction of Asset
3.7.5.4.1. Procedures shall be in place to identify the assets to be collected (both paper
and digital) and disposed/destroyed of securely based on the criticality of
information stored on the asset.
3.7.5.4.2. Information asset owner shall ensure secure handling when the Information
asset is decommissioned or destroyed.
3.7.5.4.3. When no longer required, the contents of any storage media (e.g.: RAM
memory, CD, USB devices etc.) containing confidential information that are to
be removed from operations shall be made unrecoverable.
3.7.5.4.4. Whenever owned software copy is declared or deemed obsolete or non-usable
or not in line with the ADWEA policy, such copies/media shall be disposed off in
safe, non re-usable manner.
3.7.5.4.5. All decommissioned assets should be collected and disposed of securely, rather
than attempting to separate out the sensitive items.
3.7.5.4.6. Unused storage media, such as hard copy documentation shall be shredded.
3.7.5.4.7. Disposal of sensitive assets and media shall be logged in order to maintain an
audit trail.

IT GOVERNANCE
X X X
Page 38 of 114
Approval Stamp.
Chairman:
3.7.5.5. Asset Buy-back / Exchange option

3.7.5.5.1. If there is an option of buy back / exchange by the Vendor, the same can be
practiced after management approval. This must not compromise the sensitive
data / information of ADWEA.
3.7.5.5.2. If there is an option of buy back / exchange by the Vendor, the same can be
practiced after management approval. This must not compromise the sensitive
data / information of ADWEA.
3.7.5.5.3. If there is an option of internal buy back, the same can be practiced with
adequate technical and administrative control in place , so that it should not
compromise the sensitive data / information of ADWEA.
3.7.6.1. Director General shall have the ultimate accountability for all information assets of ADWEA.
He/ She may delegate full / partial ownership along with the defined responsibilities to any
internal roles / function with operational rights and responsibility.
3.7.6.2. IT Head is responsible to provide operational support and management of information assets
within ADWEA as outlined in this policy.
3.7.6.3. CISO- (Chief Information Security Officer) - The information security officer is responsible for
developing and implementing information security policy designed to protect information
and any supporting information systems from unauthorized access, use, disclosure,
corruption or destruction of data.
3.7.6.4. End Users authorized by the Information Owner to access information , are bound by the
acceptable usage policy of ADWEA (REF to Acceptable Use policy).
Item Description

IT GOVERNANCE
X X X
Page 39 of 114
Approval Stamp.
Chairman:
3.8. [ITD-IS-PL-008] Physical and Environmental Policy
To ensure ADWEA appropriately protects buildings and rooms to prevent unauthorized access,
damage, or interference to the information systems therein.
To ensure ADWEA appropriately protects information systems equipment from physical and
environmental threats.
3.8.3. Background
Physical and environmental security programs define the various measures or controls that protect
organizations from loss of connectivity and availability of computer processing caused by theft, fire,
flood, intentional destruction, unintentional damage, mechanical equipment failure and power
failures. Physical security measures shall be sufficient to deal with foreseeable threats and shall be
tested periodically for their effectiveness and functionality.
These are some of the fundamental elements of any Physical and environmental security program
which can act as guidelines for developing an appropriate Physical and environmental security policy
and process. They are listed below.
Determine which managers are responsible for planning, funding, and operations of
physical security of the Data Center.
Review best practices and standards that can assist with evaluating physical security
controls, such as ISO/IEC 27002:2013 / NESA IAS etc.
Establish a baseline by conducting a physical security controls gap assessment that will
include the following as they relate to your campus Data Center:
o Environmental Controls

IT GOVERNANCE
X X X
Page 40 of 114
Approval Stamp.
Chairman:
o Natural Disaster Controls

o Supporting Utilities Controls
o Physical Protection and Access Controls
o System Reliability
o Physical Security Awareness and Training
o Contingency Plans
Determine whether an appropriate investment in physical security equipment (alarms,
locks or other physical access controls, identification badges for high security areas, etc.)
has been made and if these controls have been tested and function correctly.
Provide responsible managers guidance in handling risks.
Maintain a secure repository of physical and environmental security controls and policies
and establish timelines for their evaluation, update and modification.
Create a team of physical and environmental security auditors, outside of the management
staff, to periodically assess the effectiveness of the measures taken and provide feedback
on their usefulness and functionality.
3.8.5.1. Secure areas : ADWEA shall take due care to prevent unauthorized physical access, damage
or interference to the organization's premises and infrastructure, using controls appropriate
to the identified risks and the value of the assets protected. The policies outlined below are
geared towards the same.
3.8.5.1.1. Physical security perimeter : Security perimeters shall be used to protect areas
that contain information and information processing facilities - using walls,
controlled entry doors/gates, manned reception desks and other measures. The
following points should be considered:
a) perimeter siting and strength is determined in response to risk assessment;
b) clearly defined and marked perimeters, except in situations where
hidden/disguised perimeters would enhance security;
c) use of physical sound proof walls, windows and doors, protected with bars,
locks, alarms as appropriate;

IT GOVERNANCE
X X X
Page 41 of 114
Approval Stamp.
Chairman:
d) use of additional physical barriers, where appropriate to prevent

unauthorized access or physical contamination;
e) provision of appropriate protection against fire, water or other reasonably
anticipated environmental threats;
f) use of appropriate intrusion detection systems, such as motion and
perimeter alarms, audio and video surveillance;
g) use of manned reception areas or appropriate lock/ID systems to control
passage into the restricted area;
h) measures designed with sufficient redundancy such that a single point of
failure does not compromise security; and
i) regular maintenance to and review of the adequacy of the components of
these physical protections.
3.8.5.1.2. Physical entry control : Secure areas shall be protected by appropriate entry
controls to ensure that only authorized personnel are allowed access. The
following points should be considered.
a) authentication mechanisms (e.g., keycard and PIN) proportionate to the
identified risks and the value of the asset(s) protected;
b) recording of date/time of entry and exit, and/or video recording of activities
in the entry/exit area, as appropriate;
c) requirement for authorized personnel to wear visible identification, and to
report persons without such identification;
d) appropriate authorization and monitoring procedures for third-party
personnel who must be given access to the restricted area; and
e) regular review and, when indicated, revocation of access rights (see also
human resources security. ref)
3.8.5.1.3. Secure offices, rooms and facilities : Physical security for offices, rooms and
facilities shall be designed and implemented. The following points should be
considered:
a) use of measures that are commensurate to the identified risks and the
value of the assets at risk in each setting;

IT GOVERNANCE
X X X
Page 42 of 114
Approval Stamp.
Chairman:
b) use of measures that balance relevant health, safety and related

regulations and standards;
c) use of highly visible controls, where appropriate as a deterrent;
d) use of unobtrusive or hidden controls/facilities, where appropriate for
highly sensitive assets; and
e) restrictions on information about facilities, including directory and location
information.
3.8.5.1.4. Protecting against external and environmental threats : Physical protection
against damage from fire, flood, wind, earthquake, explosion, civil unrest and
other forms of natural and man-made risk shall be designed and implemented.
The following points should be considered:
a) consideration of probabilities of various categories of risks and value of
assets protected against those risks;
b) consideration of security threats posed by neighboring facilities and
structures;
c) appropriate fire-fighting equipment and other counter-measures provided
and suitably located on site; and
d) appropriate siting of backup facilities and data copies in a suitable location
off-site.
3.8.5.1.5. Working in secure areas : Physical protection and guidelines for working in
secure areas shall be designed and implemented. The following points should
be considered:
a) limiting personnel's awareness of, and activities within, a secure location
on a need-to-know basis;
b) limiting or prohibiting unsupervised/unmonitored work in secure areas,
both for safety reasons and to avoid opportunities for malfeasance;
c) keeping vacant secure areas locked, subject to periodic inspection, and/or
monitored remotely as appropriate by video or other technologies;
d) limiting video, audio or other recording equipment, including cameras in
portable devices, in secure areas.

IT GOVERNANCE
X X X
Page 43 of 114
Approval Stamp.
Chairman:
3.8.5.1.6. Public access (or any delivery and loading access) :Access points such as
delivery and loading areas, and other points where unauthorized persons may
enter the premises, shall be controlled. The following points should be
considered.
a. limits on access to the delivery and loading areas, and to other public access
areas, to the degree possible;
b. inspection of incoming and outgoing materials, and separation of incoming
and outgoing shipments, where possible; and
c. isolation of these areas from information processing facilities and areas
where information is stored, where possible.
3.8.5.2. Equipment security : ADWEA shall take due measures to prevent loss, damage, theft or
compromise of assets or interruption to the organization's activities.
3.8.5.2.1. Equipment siting and protection: Equipment shall be sited or protected to
reduce the risks from environmental threats and hazards, and to reduce the
opportunities for unauthorized access by human threats. The following points
should be considered.
a. siting to minimize unnecessary risks to the equipment, and to reduce the
need for unauthorized access to sensitive areas;
b. siting to isolate items requiring special protection, to minimize the general
level of protection required;
c. use of particular controls as appropriate to minimize physical threats -- e.g.,
theft or damage from vandalism, fire, water, dust, smoke, vibration,
electrical supply variance, or electromagnetic radiation; and
d. guidelines for eating, drinking, smoking or other activities near equipment.
3.8.5.2.2. Supporting utilities: Equipment shall be protected from power failures,
telecommunications failures, and other disruptions caused by failures in
supporting utilities such as HVAC, water supply and sewage. The following
points should be considered.
a. assuring that the supporting utilities are adequate to support the
equipment under normal operating conditions; and
b. making reasonable provision for backups (e.g., a UPS) in the event of
supporting utility failure.

IT GOVERNANCE
X X X
Page 44 of 114
Approval Stamp.
Chairman:
3.8.5.2.3. Cabling security: Power and telecommunications cabling carrying sensitive

data or supporting information services shall be protected from interception or
damage. The following points should be considered:
a. physical measures to prevent unauthorized interception or damage,
including additional protections for sensitive or critical systems;
b. alternate/backup routings or transmission media where appropriate,
particularly for critical systems;
c. clearly identified cable and equipment markings, except where security is
enhanced by removing/hiding such markings; and
d. documentation of patches and other maintenance activities.
3.8.5.2.4. Equipment maintenance: Equipment shall be correctly maintained to ensure
its continued availability and integrity. The following points should be
considered:
a. appropriate preventive maintenance;
b. documentation of all maintenance activities, including scheduled
preventive maintenance;
c. documentation of all suspected or actual faults, and associated
remediation;
d. maintenance only by authorized employees or contracted third parties; and
e. appropriate security measures, such as clearing of information or
supervision of maintenance processes, appropriate to the sensitivity of the
information on or accessible by the devices being maintained;
3.8.5.2.5. Security of equipment off-premises: Appropriate security measures shall be
applied to off-site equipment, considering the different risks of working outside
the organization's premises. The following points should be considered:
a. authorization of any off-site processing of organizational information,
regardless of the ownership of the processing device(s);
b. security controls for equipment in transit and in off-site premises,
appropriate to the setting and the sensitivity of the information on or
accessible by the device;

IT GOVERNANCE
X X X
Page 45 of 114
Approval Stamp.
Chairman:
c. adequate insurance coverage, where third-party insurance is cost-

effective; and
d. employee and contractor awareness of their responsibilities for protecting
information and the devices themselves, and of the risks of off-premises
environments.
3.8.5.2.6. Secure disposal or re-use of equipment: All equipment containing storage
media shall be checked to ensure that sensitive data and licensed software has
been removed or securely overwritten prior to disposal. The following points
should be considered:
a) use of generally accepted methods for secure information removal,
appropriate to the sensitivity of the information known or believed to be
on the media;
b) secure information removal by appropriately trained personnel, or
verification of secure information removal by appropriately trained
personnel.
3.8.5.2.7. Removal of property : Equipment, information or software shall not be taken
off-premises without prior authorization. The following points should be
considered:
a) limitations on types/amounts of information or equipment that may be
taken off-site;
b) recording of off-site authorizations and inventory of equipment and
information taken off-site; and
c) for persons authorized to take equipment or information off-site,
appropriate awareness of security risks associated with off-premises
environments and training in appropriate controls and counter-measures.
As per the Roles and Responsibilities section at the end of the overall Information security policy set.

IT GOVERNANCE
X X X
Page 46 of 114
Approval Stamp.
Chairman:
Item Description

IT GOVERNANCE
X X X
Page 47 of 114
Approval Stamp.
Chairman:
3.9. [ITD-IS-PL-009] Operations Security Policy
To ensure the effective operation and security of information processing facilities.

To protect the confidentiality, integrity, and availability (CIA) of information technology
resources and data.
To ensure the integrity and availability of information processed and stored within
information processing facilities.
To detect unauthorized activities occurring that may have a detrimental effect upon
information processing facilities.
To ensure the integrity of operating systems.
To prevent exploitation of technical vulnerabilities.
Minimize the impact of audit activities on operational systems.
3.9.3. Background
Operations security involves planning and sustaining the day-to-day processes that are critical to
maintaining the security of organizations information environments. The extent and complexity of
security operations will vary between organizations based on their risk tolerances and resource levels.
However the most important aspect of operations security is that the operations themselves should
be repeatable, reliable, and consistently performed.
The 7 key guiding security controls for any Operational security related policy / process development
are listed below.

IT GOVERNANCE
X X X
Page 48 of 114
Approval Stamp.
Chairman:
Operational Procedures and Responsibilities- Important operational processes include

Change Management, Capacity Management, Separation of Development, Test, and
Operations Environments.
Protection from Malware
Backups of all critical business information.
Logging and Monitoring of all critical Information systems
Control of Operational Software
Technical Vulnerability Assessment and Management
Information System Audit Considerations
3.9.5.1. Operational procedures and responsibilities: ADWEA shall take due measures to ensure the
correct and secure operation of information processing facilities. To this effect the below
mentioned policies have been instituted.
3.9.5.1.1. Documented operating procedures :
Operating procedures shall be documented, maintained and made available to
all users who need them. The following points should be considered:
o documentation of/for all significant system activities including start-up,
close-down, back-up and maintenance;
o treatment of such documents as a formal organizational record, subject to
appropriate change authorization, change tracking and archiving; and
o provision of appropriate security for such documentation, including
distribution control.
3.9.5.1.2. Change management
Changes to information processing facilities and systems shall be controlled using
appropriate change management procedures. The following points should be considered:
o risk assessments, including an analysis of potential impacts and necessary
countermeasures or mitigation controls;

IT GOVERNANCE
X X X
Page 49 of 114
Approval Stamp.
Chairman:
o processes for planning and testing of changes, including fallback (abort/recovery)

measures;
o managerial approval and authorization before proceeding with changes that may
have a significant impact on operations;
o advanced communication/warning of changes, including schedules and a
description of reasonably anticipated effects, provided to all relevant persons;
o documentation of changes made and the prior steps in the change management
process.
3.9.5.1.3. Segregation of duties

Duties and areas of responsibility shall be segregated to the degree practicable, to reduce
opportunities for unauthorized or unintentional modification or misuse of the
organization's assets.
3.9.5.1.4. Separation of development, test and operational facilities

Development, test and operational facilities shall be separated, to the degree practicable,
to reduce risks of unauthorized access or changes to the operational system.
3.9.5.2. Third party delivery management: This category of statement aims to implement and
maintain the appropriate level of information security and service delivery in the context of
third-party service delivery agreements.
3.9.5.2.1. Service delivery
Security controls, service definitions and delivery levels shall be included in third-party
service delivery agreements.
3.9.5.2.2. Monitoring and review of third-party services
Services, reports and records provided by the third party shall be regularly monitored and
reviewed, and appropriate audits conducted.

IT GOVERNANCE
X X X
Page 50 of 114
Approval Stamp.
Chairman:
3.9.5.2.3. Managing changes to third-party services

Changes to the provision of services, including maintaining and improving existing
information security policies, procedures and controls, shall be appropriately managed.
o considering the criticality of the business system(s) and process(es); and
o using appropriate change management procedures, like those applied to internal
service changes.
3.9.5.3. System planning and acceptance : This set of policies aims to minimize the risk of systems
failures and non-availability.
3.9.5.3.1. Capacity management
The use of information and information facility resources shall be appropriately
monitored, and projections made for future capacity requirements to ensure adequate
systems performance. The following points should be considered:
o identification of capacity requirements for each new and ongoing
system/service;
o projection of future capacity requirements, considering current use, projected
trends, and anticipated changes in business requirements; and
o system monitoring and tuning to ensure and, where possible, improve availability
and effectiveness of current systems.
3.9.5.3.2. System acceptance
Acceptance criteria for new information systems, upgrades, and new versions shall be
appropriately established, and suitable tests of the system(s) carried out during
development and prior to acceptance. The following points should be considered:
o clear definition of, agreement on, testing of, and documentation of compliance
with requirements for system acceptance; and
o consultation with affected persons, or representatives of affected groups, at all
phases of the process.

IT GOVERNANCE
X X X
Page 51 of 114
Approval Stamp.
Chairman:
3.9.5.4. Protection against malicious code: This set of statements aims to protect the integrity of
software and information.
3.9.5.4.1. Controls against malicious code
Appropriate controls shall be implemented for prevention, detection and response to
malicious code, including appropriate user awareness. The following points shall be
considered:
o prohibiting the use or installation of unauthorized software, including a
prohibition of obtaining data and software from untrusted networks;
o protective measures, such as installation of up-to-date anti-virus and anti-
spyware software;
o periodic reviews/scans of installed software and the data content of systems to
identify and, where possible, remove any unauthorized software;
o defined procedures for response to identification of malicious code or
unauthorized software;
The following points may also be considered:
o continuity/recovery plans to deal with system interruptions and failures caused
by malicious code; and
o user awareness training on these policies and methods.
3.9.5.5. Back-up : This set of policy aims to maintain the integrity and availability of organizational
information.
3.9.5.5.1. Information back-up
Back-up copies of information and software shall be made, and tested at appropriate
intervals, in accordance with an agreed-upon back-up standards. The following points
o formal definition of the level of backup required for each system -- scope of data
to be imaged, frequency of imaging, duration of retention -- based on legal-
regulatory-certificatory standards and business requirements;

IT GOVERNANCE
X X X
Page 52 of 114
Approval Stamp.
Chairman:
o complete inventory records for the back-up copies, including content and current
location;
o complete documentation of restoration procedures for each system;
o storage of the back-ups in a remote location, at a sufficient distance to make
them reasonably immune from damage to data at the primary site;
o appropriate physical and environmental controls for the back-up copies where-
ever located;
o appropriate technical controls, such as encryption, for back-up copies of sensitive
information;
o regular testing of back-up media.
o regular testing of restoration procedures.
3.9.5.6. Network security management :This set of statement aims to ensure the protection of
information in networks and protection of the supporting network infrastructure.
3.9.5.6.1. Network controls
Networks shall be appropriately managed and controlled, to be protected from threats,
and to maintain security for the systems and applications using the network, including
information in transit. The following points should be considered:
o separation of operational responsibilities for networks from those for computer
systems and operations, where appropriate;
o implementation of appropriate controls to assure the availability of network
services and information services using the network;
o establishment of responsibilities and procedures for management of equipment
on the network, including equipment in user areas;
o special controls to safeguard the confidentiality and integrity of sensitive data
passing over the organization's network and to/from public networks;
o appropriate logging and monitoring of network activities, including security-
relevant actions; and

IT GOVERNANCE
X X X
Page 53 of 114
Approval Stamp.
Chairman:
o management processes to ensure coordination of and consistency in the

elements of the network infrastructure.
3.9.5.6.2. Security of network services
Security features, service levels and management requirements for all network services
shall be identified in reasonable detail, and included in a network services capability
statements, whether those services are provided in-house or outsourced. The following
points should be considered :
o technologies applied for security of network services, such as authentication,
encryption and connection controls;
o technical parameters and rules for secured connection with the network; and
o procedures and processes to control/restrict network access.
3.9.5.7. Media handling :This set of statement aims to prevent unauthorized disclosure, modification,
removal or destruction of information assets, or interruptions to business activities due to
inappropriate media handling.
3.9.5.7.1. Management of removable media
Procedures and supporting standards shall be established for management of removable
media. The following points should be considered:
o where appropriate to the sensitivity of the data, logging and an audit trail of
removal of media from or relocations within the organization's premises;
o where appropriate to the sensitivity of the data, a requirement for authorization
prior to removal or relocation;
o appropriate redundancy of storage in light of the risks to the removable media,
including where storage retention requirements exceed the rated life of the
media.
o restrictions on the type of media, and its usage to ensure adequate security.
o registration and encryption of certain type(s) of media; and
o secure disposal of media when no longer needed .

IT GOVERNANCE
X X X
Page 54 of 114
Approval Stamp.
Chairman:
3.9.5.7.2. Disposal of media

Media shall be disposed of securely and safely when no longer required, using formal
procedures. The following points should be considered:
o use of industry accepted secure disposal methods for media that contain (or
might contain) sensitive data;
o procedures and standard to identify data that qualifies as sensitive, else in
absence of such explicit classification the information will be considered
confidential by default;
o where appropriate to the sensitivity of the data, logging and an audit trail of
disposal operations.
3.9.5.7.3. Information handling
Appropriate procedures for the handling and storage of information shall be established
to protect data from unauthorized disclosure or misuse. The following points should be
considered:
o physical and technical access restrictions appropriate to the data sensitivity level;
o handling and labelling of all media as per its indicated classification (sensitivity)
level;
o where appropriate to the sensitivity, maintenance of formal records of data
transfers, including logging and an audit trail; and
o review at appropriate intervals of distribution and authorized recipient lists.
3.9.5.7.4. Security of system documentation
System documentation shall be appropriately protected against unauthorized access.
o secure storage of documentation, whether in paper or electronic form; and
o authentication and access control measures, where appropriate to the sensitivity
of the documentation.

IT GOVERNANCE
X X X
Page 55 of 114
Approval Stamp.
Chairman:
As per the Roles and Responsibilities section at the end of the overall Information Security policy
set.
Item Description

IT GOVERNANCE
X X X
Page 56 of 114
Approval Stamp.
Chairman:
3.10. [ITD-IS-PL-010] Communications Policy
To ensure the protection of information in networks and its supporting information

processing facilities.
To maintain the security of information transferred within ADWEA and with any external
entity.
3.10.3. Background
Communications encompasses the breadth of digital data flows both within an organization and
between external entities across network infrastructures. These flows now include data, voice, video,
and all their associated signaling protocols. Securing these information flows as they traverse Intranets,
Extranets, and Internet, requires effective network infrastructure management as well as controls,
policies, and procedures.
When beginning the process of developing and establishing a secure communications policy/ program
, the following fundamentals must be considered and adhered to:
Develop policies and standards that support the:
o Establishment of clear authority and accountability for network management.
o Risk based segregation of groups of systems, users, and information systems
o Authority to control, actively monitor, and log traffic traversing designated ingress
and egress points.
Identify threats related to the communications environment.

IT GOVERNANCE
X X X
Page 57 of 114
Approval Stamp.
Chairman:
o Evaluate threat scenarios and methods of network attack (reconnaissance,

exploitation, data exfiltration)
Identify the most critical systems, data, or equipment within the network.
Use routing and firewalls to define the network perimeter.
Use a border firewall and/or Intrusion Detection/Prevention devices to limit entry/exit of
network traffic.
Define the demilitarized zone of the network where the public can access limited
network resources, as well as public access points to the network such as open access ports
and public WiFi.
Define restricted portions of the network for use by authorized staff and facility personnel;
use identity and access management controls for users and systems on the network.
Define highly restricted portions of the network such as within data centers,
communications facilities, or other highly restricted areas.
Establish information transfer policies and encryption standards that address varied needs
for confidentiality, integrity, and non-repudiation of internal and external data exchanges.
3.10.5.1. Exchange of information: This set of statement aims to maintain the security of information
and software exchanged within ADWEA and any external entity.
3.10.5.1.1. Information exchange
Formal standards and procedures shall be implemented to protect the exchange of
information, covering the use of all types of communications facilities and data storage
media. The following points should be considered:
o Procedural controls designed to protect exchanged information from
interception, copying, modification, mis-routing or destruction;
o procedures for the detection of and protection against malicious code
o procedures for the protection of wireless communications;

IT GOVERNANCE
X X X
Page 58 of 114
Approval Stamp.
Chairman:
o use of cryptographic methods where appropriate to achieve sufficient

protections;
o standards or guidelines about acceptable and unacceptable uses of
communications facilities and media;
o user awareness and training about these policies and guidelines; and
o compliance with all relevant legal-regulatory-certificatory requirements for
information exchange.
3.10.5.1.2. Exchange agreements
Agreements shall be established for the exchange of information and software between
ADWEA and external parties. The following points should be considered:
o specification of management responsibilities for controlling/approving
agreements about transmissions and receipts;
o procedures to ensure appropriate identification and labelling, appropriate
notifications to sender and recipient, traceability and non-repudiation;
o minimum technical standards for packing and transmission;
o specification of ownership and responsibilities for data protection, copyright,
license, compliance and similar considerations (see also Compliance policy);
o specification of responsibilities and liabilities in the event of an information
security incident;
3.10.5.1.3. Physical media in transit
Media containing information shall be protected against unauthorized access, misuse or
corruption. The following points should be considered:
o procedures and standards for authorizing couriers, and a list of currently
authorized couriers; and
o packaging standards, including technical protections (e.g.,encryption); and
o physical protection standards (e.g., locked containers, tamper-evident tagging).
3.10.5.1.4. Electronic messaging
Information involved in electronic messaging shall be appropriately protected. Electronic
messaging includes email, IM, audio-video conferencing and any other one-to-one, one-to-

IT GOVERNANCE
X X X
Page 59 of 114
Approval Stamp.
Chairman:
many, or many-to-many digital communications. The following points should be

considered:
o protecting messages from unauthorized access, modification or diversion;
o ensuring correct addressing and transportation;
o ensuring the general reliability and availability of messaging services;
o limiting the use of less-secure messaging systems (e.g., public IM); and
o stronger levels of authentication and message content protection when using
public networks.
3.10.5.1.5. Business information systems
Necessary standards and procedures shall be developed and implemented to protect
information associated with the interconnection of business systems. The following points
o a risk assessment of and appropriate countermeasures for vulnerabilities
associated with such interconnections;
o appropriate controls to manage information sharing using such interconnections;
o fallback and recovery arrangements in the event of interconnection failure.
3.10.5.2. Electronic commerce services: This set of statement aims to ensure the security of electronic
commerce services and their secure use.
3.10.5.2.1. Electronic commerce
Information involved in electronic commerce passing over public networks shall be
appropriately protected from fraudulent activity, contract dispute, and unauthorized
disclosure and modification.
3.10.5.2.2. On-line transactions
Information involved in on-line transactions shall be appropriately protected to prevent
incomplete transmission, misrouting, unauthorized message alteration, unauthorized
disclosure, unauthorized message duplication or replay.

IT GOVERNANCE
X X X
Page 60 of 114
Approval Stamp.
Chairman:
3.10.5.2.3. Publicly available information

The integrity of information being made available on a publicly available system, such as a
Web server or social media, shall be appropriately protected to prevent unauthorized
modification or disclosures.
3.10.5.3. Monitoring: This policy section talks about monitoring and detecting unauthorized
information processing activities.
3.10.5.3.1. Audit logging
Audit logs that record user activities, exceptions, and information security events shall be
produced, and kept for an agreed-upon time period, to assist in future investigations and
access control monitoring. The following points should be considered:
o recording all key events, including the data/time and details of the event, the
user-ID associated, terminal identity and/or location, network addresses and
protocols, records of successful and unsuccessful system accesses or other
resource accesses, changes to system configurations, use of privileges, use of
system utilities and applications, files accessed and the kinds of access, alarms
raised by the access control or any other protection system (e.g., ID/IP);
o appropriate privacy protection measures for logged data that is identified as
confidential;
o appropriate technical, physical and administrative security protection of audit
logs, to ensure integrity and availability.
3.10.5.3.2. Monitoring system use
Procedures for monitoring use of information processing facilities shall be established and
the results of monitoring activities regularly reviewed. The following points should be
considered:
o event tracking and recording as specified in the "audit trail" policy element;
o monitoring and review of data as determined by the criticality of the
application/system or information involved, past experience with information
security incidents, and general risk assessment.

IT GOVERNANCE
X X X
Page 61 of 114
Approval Stamp.
Chairman:
3.10.5.3.3. Protection of log information

Logging facilities and log information shall be appropriately protected against tampering
and unauthorized access.
3.10.5.3.4. Administrator and operator logs
System administrator and system operator activities shall be appropriately logged, as part
of the general audit trail process.
3.10.5.3.5. Fault logging
Faults shall be appropriately logged, analyzed and actions taken.
3.10.5.3.6. Clock synchronization
The clocks of all relevant information processing systems within an organization or security
domain shall be appropriately synchronized with an agreed-upon time source.
Item Description

IT GOVERNANCE
X X X
Page 62 of 114
Approval Stamp.
Chairman:
3.11. [ITD-IS-PL-011] Access Control Policy
To cover the user access life-cycle with respect to the assignment and revocation of access
privileges.
To underscore the importance of the active participation of users in safeguarding the
access privileges and credentials provided to them, and the practices needed to prevent
unauthorized disclosure of privileged information.
To cover the mechanisms that an organization can use to ensure that only authorized users
have access to organizational computing devices.
3.11.3. Background
A basic element of any organization's information security program is the protection of information
resources that support the critical operations of the organization from unauthorized access,
modification, or disclosure. Access control is basically the use of administrative, physical, or technical
security features to manage how users and systems communicate and interact with other information
resources.
The following comprise the core principles for developing an access control policy framework.
Roles and responsibilities related.
Need-to-Know: Access only to information needed to perform assigned tasks.
Need-to-Use: Access only to information resources needed to perform assigned tasks.
Access levels and privileges by role.
Periodic review and removal of access levels and privileges

IT GOVERNANCE
X X X
Page 63 of 114
Approval Stamp.
Chairman:
Segregation of duties for requesting, authorizing, and reviewing access levels and privileges
What is required to identify users?
Requirement for vetting users in person
Requirement to protect and preserve records concerning user identification and
credentials
What criteria is used to determine the types of credentials used?
What criteria is used to determine the level of access to applications and services?
Identification of roles with privileged access
Contractual obligations for limiting access granted to vendors and partners
What is required from identity providers and from service providers?
Requirement to identify the security requirements of applications - both, purchased and
developed internally
Requirement to determine the Level of Authentication (LOA) required to access a service
based on risk
3.11.5.1. Business requirements for access control: The objective of this section is to provide policy
elements to control access to information, information processing facilities, and business
processes.
3.11.5.1.1. Access control
Access controls shall be periodically reviewed, based on business needs and external
requirements. Access controls shall take account of:
o security issues for particular information systems, given business needs,
anticipated threats and vulnerabilities;
o security issues for particular types of data, given business needs, anticipated
threats and vulnerabilities;
o all relevant legislative, regulatory and certificatory requirements;
o relevant contractual obligations or service level agreements;

IT GOVERNANCE
X X X
Page 64 of 114
Approval Stamp.
Chairman:
o other organizational policies for information access, use and disclosure;

o consistency among such policies across the organization's systems and networks;
Related standard documents should be developed which shall include:
o clearly stated rules and rights based on user profiles / roles ;
o consistent management of access rights across a distributed/ networked
environment;
o an appropriate mix of logical (technical) and physical access controls;
o segregation of access control roles as a minimum -- access request, access
authorization, access administration should not be with the same role /
individual.
o requirements for formal authorization of access requests ("provisioning"); and
o requirements for authorization and timely removal of access rights ("de-
provisioning").
3.11.5.2. User access management : This policy statement ensures only authorized users have
access to specific information and information systems. The following points should be
considered:
o formal procedures to control the allocation of access rights;
o procedures covering all stages in the life-cycle of user access, from provisioning
to de-provisioning;
o special attention to control privileged ("super-user") access rights; and
o appropriate technical measures for identification and authentication to ensure
compliance with defined access rights.
3.11.5.2.1. User registration
Formal user registration and de-registration procedures shall be implemented, for granting
and revoking access to all information systems and services. The following points should be
considered:
o assignment of unique user-IDs to each user;

IT GOVERNANCE
X X X
Page 65 of 114
Approval Stamp.
Chairman:
o Documented approval by function heads to ensure that each user's access is

consistent with business purposes and other security policy controls (e.g.,
segregation of duties);
o requiring users to sign statements indicating they understand the conditions of
access;
o ensuring service providers do not grant access until all authorization procedures
are completed;
o maintaining a current record of all users authorized to use a particular system or
service;
o immediately changing/eliminating access rights for users who have changed
roles or left the organization ;
o checking for and removing redundant or apparently unused user-IDs.
3.11.5.2.2. Privilege management
Allocation and use of access privileges shall be restricted and controlled. The following
points should be considered:
o development of privilege profiles for each system, based on intersection of user
profiles and system resources;
o granting of privileges based on these standard profiles when possible;
o a formal authorization process for all privileges;
o maintaining a current record of privileges granted;
3.11.5.2.3. User password management
Allocation of passwords shall be controlled through a formal management process. The
o requiring users to sign a statement indicating they will keep their individual
passwords confidential and, if applicable, any group passwords solely within the
group;
o secure methods for creating and distributing temporary, initial-use passwords;
o forcing users to change any temporary, initial-use password;

IT GOVERNANCE
X X X
Page 66 of 114
Approval Stamp.
Chairman:
o development of procedures or technical controls to verify a user's identity prior

to providing a replacement password ("password reset");
o prohibiting storage of passwords on computer systems in unprotected form;
o prohibiting use of default vendor passwords, where applicable.
3.11.5.2.4. User access token management
Allocation of access tokens, such as key-cards etc, shall be controlled through a formal
management process. The following points should be considered:
o requiring users to sign a statement indicating they will keep their access tokens
secure;
o secure methods for creating and distributing tokens;
o use of two-factor authentication where appropriate and technically feasible;
o development of procedures to verify a user's identity prior to providing a
replacement token; and
o prohibiting "loaning" of tokens.
3.11.5.2.5. Review of user access rights
Each user's access rights shall be periodically reviewed using a formal process. The following
points should be considered:
o review at regular intervals, and after any status change (promotion, demotion,
transfer, termination);
o more frequent review of privileged ("super user") access rights;
o change a temporary password on first log-on;
o avoid storing passwords in automated log-on processes;
o not use the same password for business and non-business purposes;
o use the same password for multiple systems/services only where a reasonable
level of security can be assured for each.
3.11.5.2.6. Access token use
Users shall follow good security practices in the use of tokens. The following points should
be considered advising/requiring users to:

IT GOVERNANCE
X X X
Page 67 of 114
Approval Stamp.
Chairman:
o keep tokens secure and not "share" them;

o avoid keeping a paper or electronic record of PIN associated with a two-factor
token; and
o report when a token is lost or there is any suspicion that it has been
compromised.
3.11.5.2.7. Monitoring of activity history
Password/token activity history shall be monitored where available. The following points
should be considered while implementing this:
o observe and report discrepancies in "last successful login" and "last unsuccessful
login" information, when it is available; and
o observe and report discrepancies in date/time information for all activities which
have timestamps, such as file accesses or modifications.
3.11.5.2.8. Appropriate use of user equipment
Users shall observe appropriate physical and technical practices with respect to the
equipment assigned to them. The following points should be considered:
o requirement to limit use to performing appropriate functions in an appropriate
manner;
o user training in appropriate functions and use; and
o monitoring of user behavior through appropriate technical means.
3.11.5.2.9. Unattended user equipment
Users shall ensure that unattended computing equipment has appropriate protection.
Unattended equipment controls mandated by this policy includes but is not limited to:
o terminating active (logged-in) sessions before a device is left unattended, unless
it can be securely "locked" (e.g., with a password-protected screensaver);
o physically securing devices, or the area in which a device is located, with a key-
lock or equivalent if a device will be unattended.

IT GOVERNANCE
X X X
Page 68 of 114
Approval Stamp.
Chairman:
3.11.5.2.10. "Clear desk - clear screen" policy

Users shall ensure that desks and other work areas are kept cleared of papers and any
storage media when unattended. Computer screens shall be kept clear of sensitive
information when unattended.
3.11.5.2.11. "Clear equipment" policy
Photocopiers, fax machines and other office equipment shall be kept cleared of papers and
any storage media when unattended.
3.11.5.3. Network access control : The purpose of this section is to outline policies that support
prevention of unauthorized access to network services.
3.11.5.3.1. Policy on use of network services
Users shall only be provided with access to the services that they have been specifically
authorized to use. The following points should be considered:
o authorization procedures for determining who is allowed to access to which
networks and network services, consistent with other access rights; and
o deployment of technical controls to limit network connections.
3.11.5.3.2. User authentication for external connections
Appropriate authentication methods shall be used to control remote access to the network.
3.11.5.3.3. Equipment/location identification in networks
Where appropriate and technically feasible, access to the network shall be limited to
identified devices or locations.
3.11.5.3.4. Remote diagnostic and configuration port protection
Physical and logical access to diagnostic and configuration ports shall be appropriately
controlled. The following points should be considered:
o physical security for on-site diagnostic and configuration ports;
o technical security for remote diagnostic and configuration ports; and
o disabling/removing ports, services and similar facilities which are not required.

IT GOVERNANCE
X X X
Page 69 of 114
Approval Stamp.
Chairman:
3.11.5.3.5. Segregation in networks

Where appropriate and technically feasible, groups of information services, users and
services shall be segregated on networks. The following points should be considered:
o separation into logical domains, each protected by a defined security perimeter;
o secure gateways between/among logical domains.
3.11.5.3.6. Network connection control
Capabilities of users to connect to the network shall be appropriately restricted, consistent
with access control policies and applications requirements. The following points should be
considered:
filtering by connection type (e.g., messaging, email, file transfer, interactive access,
applications access).
3.11.5.3.7. Network routing control
Routing controls shall be implemented to ensure that computer connections and
information flows do not breach the access control policy of the business applications. The
o positive source and destination address checking;
o routing limitations based on the access control policy.
3.11.5.4. Operating system access control :

The purpose of this section is to outline policies that support prevention of unauthorized access to
operating systems, and the data and services thereof.
Controls shall be implemented to restrict system access to authorized users, by requiring
authentication of authorized users in accordance with the defined access control policy. Controls
should include:
o providing mechanisms for authentication by what you know , what you have
and or who you are;
o recording successful and failed system authentication attempts;
o recording the use of special system privileges;

IT GOVERNANCE
X X X
Page 70 of 114
Approval Stamp.
Chairman:
o issuing alerts when access security controls are breached.
3.11.5.4.1. Secure log-on procedures

Access to systems shall be controlled by secure log-on procedures. The following points
o display of a general notice warning about authorized and unauthorized use;
o no display of system or application identifiers until successful log-on;
o no display of help messages prior to successful log-on that could aid an
unauthorized user;
o validation or rejection of log-on only on completion of all input data (e.g., both
user-ID and password);
o no display of passwords as entered (e.g., hide with symbols);
o no transmission of passwords in clear text;
o limits on the number of unsuccessful log-on attempts in total or for a given time
period;
o logging of successful and unsuccessful log-on attempts;
o limits on the maximum and minimum time for a log-on attempt; and
o on successful log-on, display date/time of last successful log-on and any
unsuccessful attempts;
3.11.5.4.2. User identification and authentication
All system users shall have a unique identifier ("user-ID") for their personal use only. A
suitable authentication technique -- knowledge-, token- and/or biometric-based -- shall be
chosen to authenticate the user. The following points should be considered:
o shared user-IDs are employed only in exceptional circumstances, where there is
a clear justification;
o generic user-IDs (e.g., "guest") are employed only where no individual-user audit
is required and limited access privileges otherwise justify the practice;

IT GOVERNANCE
X X X
Page 71 of 114
Approval Stamp.
Chairman:
o strength of the identification and authentication method (e.g., use of multiple

authentication factors) are suitable to the sensitivity of the information being
accessed;
o regular user activities are not performed from privileged accounts.
3.11.5.4.3. Password management system
Systems for managing passwords shall ensure the quality of authentication method. The
o log-on methods enforce use of individual user-IDs
o set/change password methods enforce choice of strong passwords;
o force change of temporary password on first log-on;
o enforce password change thereafter at reasonable intervals;
o store passwords separately from application data; and
o store and transmit passwords in encrypted form only.
3.11.5.4.4. Access token management system
Systems for managing access tokens shall ensure the quality of this authentication method.
3.11.5.4.5. Use of system utilities
Use of system utilities that are capable of overriding other controls shall be restricted, and
appropriately monitored (e.g., by special event logging processes).
3.11.5.4.6. Session time-out
Interactive sessions shall shut down and "lock out" the user after a defined period of
inactivity. Resumption of the interactive session shall require re-authentication. The
o time-out periods that reflect risks associated with type of user, setting of use and
sensitivity of the applications and data being accessed;
o waiver or relaxation of time-out requirement when it is incompatible with a
business process, provided other steps are taken to reduce vulnerabilities (e.g.,
encryption or removal of sensitive data, removal of network connection
capabilities).

IT GOVERNANCE
X X X
Page 72 of 114
Approval Stamp.
Chairman:
3.11.5.4.7. Limitation of connection time

Restrictions on connection times shall be used to provide additional security for high-risk
applications or remote communications capabilities. The following points should be
considered:
o restricting connection time (e.g., to normal office hours);
o restricting connection locations (e.g., to IP address ranges); and
o requiring re-authentication at timed intervals.
3.11.5.5. Application and information access control : This set of statement aims to prevent
unauthorized access to information held in application systems.
3.11.5.5.1. Information access restriction
Access to information and application system functions by users and support personnel
shall be restricted in accordance with a defined access control policy that is consistent with
the organizational access policy.
3.11.5.5.2. Sensitive system isolation
Sensitive systems shall have a dedicated (isolated) computing environment wherever
technically feasible. The following points should be considered:
o explicit identification and documentation of sensitivity by each
system/application controller; and
o explicit identification and acceptance of risks when a shared facilities and/or
resources must be used.
3.11.5.6. Mobile computing and teleworking : This set of statement aims to ensure information
security when using mobile computing and teleworking facilities. Controls shall be
implemented that are in line with the:
o type of user(s);
o setting(s) of mobile/teleworking use; and
o sensitivity of the applications and data being accessed from mobile/teleworking
settings.

IT GOVERNANCE
X X X
Page 73 of 114
Approval Stamp.
Chairman:
3.11.5.6.1. Mobile computing and communications

This policy element ensures that appropriate security measures are adopted, for mobile
computing and communications activities. Controls shall all kinds of portable devices such
as laptop, notebook, tablet computers, mobile phones , "smart" phone-PDAs and any
portable storage devices or media.
Adequate controls should be in place to ensure the following:
o physical protection;
o data storage minimization;
o access controls;
o cryptographic techniques;
o data backups;
o anti-virus and other protective software;
o operating system and other software updating;
o secure communication (e.g., VPN) for remote access; and
o sanitization prior to transfer or disposal.
3.11.5.6.2. Teleworking
Under this policy element appropriate standards , procedures and security measures shall
be adopted or developed, for "teleworking" activities in off-premises locations. The
o physical security measures at the off-premises site;
o appropriate access controls, given reasonably anticipated threats from other
users at the site (e.g., family members);
o cryptographic techniques for data storage at and communications to/from the
site;
o data backup processes and security measures for those backup copies;
o security measures for wired and wireless network configurations at the site;

IT GOVERNANCE
X X X
Page 74 of 114
Approval Stamp.
Chairman:
o policies regarding intellectual property used or created at the site, including

software licensing should be aligned with ADWEAs information security policy.
o policies regarding organizational property used at the site (e.g., organizations'
computing hardware) should be aligned with ADWEAs information security
policy.
o policies regarding private property used at the site (e.g., teleworkers' computing
hardware) should be aligned with ADWEAs information security policy.
3.11.5.6.3. BYOD (Bring your own device)
At the moment ADWEA does not allow BYOD for general usage scenarios (Bring Your Own
Device is a non-organization controlled telework client device). However under specific
scenarios they might be allowed BYOD based on explicit and documented approval given
by management. In that scenario the following policy elements should be considered.
Follow the established rules for the acceptable use of BYOD assets that are used within
the ADWEAs environment.
Register BYOD with the IT department before accessing ADWEA corporate network.
Ensure there is technical and administrative controls in place to identify and report
noncompliance with the rules / standards of ADWEA.
Ensure Separation of personal and business data on BYOD.
Not to store any of ADWEAs information on private media without prior authorization.
ADWEA has the right to hold BYOD running ADWEA services as evidence for digital
forensic analysis as required.
Sign an agreement acknowledging duties (physical protection, software updating, etc.),
waiving ownership of business data, allowing remote wiping of data in case of theft or
loss of the device or when the user is no longer authorized to use the service.
ADWEA reserves the right to disconnect such devices or disable services without
notification.
Ensure acceptance of these rules is done before providing access to ADWEA IT
infrastructure.

IT GOVERNANCE
X X X
Page 75 of 114
Approval Stamp.
Chairman:
Item Description

IT GOVERNANCE
X X X
Page 76 of 114
Approval Stamp.
Chairman:
3.12. [ITD-IS-PL-012] Third-Party Security Policy
To ensure that third parties adequately secure the information and technology resources that they
access, process, and manage. This includes information sharing, defining legal obligations, and ensuring
non-disclosure agreements are executed to protect confidential information.
To ensure that supplier agreements are established and documented so that there is no
misunderstanding regarding both parties' obligations to fulfill relevant security requirements.
3.12.3. Background
External 3rd party suppliers are a vital component of business operations. Suppliers may have access to
a wide range of information from the supported organization. Once shared with a supplier, direct
control of this information is lost, regardless of sensitivity or value. As a result, appropriate technical
and contractual controls and mitigation processes must be established with all external suppliers.
When developing and establishing a 3rd party security policy/ program, the following fundamentals
must be considered:
Identify and document various suppliers and the types of information that they access or
manipulate.
Identify current policies and standards that describe or include third party responsibilities
and any compliance requirements associated with external providers (e.g., NESA, HIPAA,
PCI DSS, ISO 27000).
Review data classification standards and how these relate to the suppliers and information
that they handle. Where applicable it shall be ensured that information security and data
protection clauses are included in any supplier contracts.

IT GOVERNANCE
X X X
Page 77 of 114
Approval Stamp.
Chairman:
Review or develop a supplier lifecycle process, including initial reviews, monitoring,

validation, and ongoing assessments.
3.12.5.1. Security Policy for Supplier Relationships

3.12.5.1.1. Service Level Agreements shall be documented, and agreed upon by all parties
to ensure there is no possibility for misunderstanding between ADWEA and the
service provider regarding each partys obligations to fulfil relevant
cybersecurity requirements set forth by ADWEAs information security policies.
3.12.5.1.2. ADWEA shall assess the external/third-party service activities, taking into
account the criticality of ADWEAs components and relevant business impacts.
3.12.5.1.3. Service agreements shall include a methodology for communicating change
management issues between ADWEA and the external/third party.
3.12.5.1.4. All changes that must be communicated by the external/third party to ADWEA
shall be performed in accordance with ADWEAs Change Management
processes.
3.12.5.1.5. ADWEA should conduct audits of external/third parties in conjunction with
review of independent auditors reports, if available, and follow-up on issues
identified.
3.12.5.1.6. A complete list of all Third Parties shall be developed and maintained in
ADWEA. Any changes in the personnel and/or information related to the third-

IT GOVERNANCE
X X X
Page 78 of 114
Approval Stamp.
Chairman:
party organization and team that is affecting their involvement with ADWEA,
the third party shall immediately inform and update ADWEA.
3.12.5.1.7. During the engagement period with third parties, ADWEA personnel shall
always follow security measures in order to protect the confidentiality,
availability and integrity of ADWEA information assets.
3.12.5.1.8. Any information being exchanged between ADWEA and the third party shall be
protected properly according to the guidelines in the Information Classification
Policy and Network and Communication Security Policy.
3.12.5.1.9. All third parties shall be informed about the information security policies and
procedures in ADWEA before starting any engagement and ensure that all the
necessary security requirements are properly enforced and addressed.
3.12.5.1.10. ADWEA reserves the right to monitor all the activities, access, network and
systems being utilized by the personnel of third parties at ADWEA premises.
3.12.5.2. Identification of Risk related to third parties

3.12.5.2.1. Third party assessment shall be conducted by ADWEA at least annually based
on business criticality of associated services, to identify the potential risk
associated to ADWEA assets resulted from the rights given to the third parties
(e.g. access, data processing, outsourcing of information, etc.)
3.12.5.2.2. All the identified risks shall be controlled and mitigated based on their priority
with respect to the confidentiality, availability and integrity of the information
being exchanged/processed with the third party.
3.12.5.3. Third Party Access
3.12.5.3.1. Third party access to ADWEAs information systems and information assets
shall be authorized and permitted by information owner assisted by system
owners.
3.12.5.3.2. Any access granted to third party personnel shall be based on the principles of
need to know and need to have.
3.12.5.3.3. All third party personnel shall be given ADWEA access cards/badges in response
to the duration of the contract and when third party personnel access is
required at ADWEA premises. The access cards given to third party personnel

IT GOVERNANCE
X X X
Page 79 of 114
Approval Stamp.
Chairman:
should be marked as Non-Transferable and Returnable on termination or

contract.
3.12.5.3.4. For any required logical access to third party personnel, guidelines detailed in
the Access Control Policy shall be followed, in addition to the following:
3.12.5.3.5. Third party personnel shall be given unique user IDs
3.12.5.3.6. All access rights granted shall be defined and approved and revoked upon the
completion of the project or once the logical access is no longer needed.
3.12.5.3.7. Access privileges shall be clearly defined and approved by Information owner
assisted by the system owner.
3.12.5.3.8. Remote access, if required and approved, shall comply with the guidelines
listed in the Access Control Policy and Teleworking Policy.
3.12.5.3.9. Any changes to the access rights related to third party personnel shall be
controlled and modified by Information owner assisted by the system owner.
3.12.5.4. Security in Third Party Contracts
3.12.5.4.1. A formal contract shall be signed by third party and ADWEA to ensure the
protection of both.
3.12.5.4.2. All contracts with third parties shall be signed considering guidelines and
conditions followed in the legal and procurement departments in ADWEA.
3.12.5.4.3. Agreements with suppliers should include information security requirements
including supply chain.
3.12.5.4.4. ADWEA holds the right to audit and review the contract signed with the third
party to ensure the latters compliance with the terms and conditions and
service levels that were agreed on.
3.12.5.4.5. Contracts signed with third parties should include the below conditions as a
minimum:
A list of type of access granted to all the participating individuals in the
engagement with ADWEA along with the type of information that is permitted
to be exchanged with the third party during the duration of the contract.
A detailed list of the level of logical and physical access to be provided to the
third party personnel to ensure the confidentiality, integrity of ADWEAs
information being processed by the third party.

IT GOVERNANCE
X X X
Page 80 of 114
Approval Stamp.
Chairman:
A list of agreed on Service Levels that will ensure and support the availability of
ADWEAs information assets in the case of a disaster.
Provision for confidentiality, non-disclosure and acceptable use clauses relating
to the information used and processed by the third party.
3.12.5.5. Third Party Responsibilities
3.12.5.5.1. Third party management shall ensure that their personnel assigned to ADWEA
projects are aware and comply with ADWEAs Information Security Policies.
3.12.5.5.2. In case of any information security breach affecting ADWEAs information
assets, either within ADWEAs premises or at the third partys, third party shall
notify ADWEA immediately of such incidents.
3.12.5.5.3. All software/hardware used by third parties personnel to process or access
ADWEAs information assets shall be declared and checked by ADWEA and may
be subjected to an audit.
3.12.5.5.4. Any ADWEA assets given to third party personnel shall be returned to ADWEA
upon the completion of the engagement or whenever the asset is no longer
required to support their activities.
3.12.5.5.5. Third party personnel shall never override security controls in ADWEA under
any circumstances. Third parties shall never take advantage of the
vulnerabilities identified within ADWEA information systems in order to gain
unauthorized access.
3.12.5.6. Supplier Service Delivery Management
3.12.5.6.1. ADWEA shall periodically monitor, review and audit supplier service delivery.
3.12.5.6.2. Any exceptions to the ADWEAs defined Supplier Service Delivery
requirements shall be recorded. Risks due to exceptions shall be managed to
acceptable levels through application of compensating controls.
3.12.5.7. Information Security Policy for Cloud Computing

3.12.5.7.1. Information security requirements for cloud environments: ADWEA shall
define information security requirements covering the retention, processing,

IT GOVERNANCE
X X X
Page 81 of 114
Approval Stamp.
Chairman:
and storage of data in cloud environments. This should include the following
considerations:
Perform necessary due diligence to determine requirements and restrictions
relevant to information processing, storage and retention in the cloud
environment with respect to ADWEA data criticality (and its classification)
Include the cloud environment (and, where possible, its components) into the
risk assessment process
Develop and maintain specific security standards and procedures to ensure
compliance with this policy requirements with respect to utilization of cloud
based services.
Ensure information about security incidents that happen at the cloud service
provider are communicated, when possible.
Where possible, reserve a right to audit the security arrangements in place at
cloud service provider
3.12.5.7.2. Service delivery agreements with cloud providers: ADWEA shall document
relevant security requirements in service delivery agreements with cloud
service providers. Each service delivery agreement for cloud services shall
include provisions for:
Understanding and maintaining awareness of where information with
applicable (eg geographical) restrictions will be stored or transmitted in the
cloud environment
Ensuring appropriate information migration plans at the end of the service
period.
Ensuring all other cloud security requirements determined relevant by ADWEA
are included in the service delivery agreement

IT GOVERNANCE
X X X
Page 82 of 114
Approval Stamp.
Chairman:
Item Description

IT GOVERNANCE
X X X
Page 83 of 114
Approval Stamp.
Chairman:
3.13. [ITD-IS-PL-013] Information Systems Acquisition, Development and

Maintenance Policy
To ensure that security requirements are established as an integral part of the entire lifecycle of an
information system.
To ensure that development lifecycle processes are established to maintain the security of information
systems as the systems are designed, developed, tested, and maintained.
To ensure the protection of data used for testing.
3.13.3. Background
Security risks and events occur throughout a systems lifetime. This is true whether the system is
developed internally or purchased for on premise hosting or cloud implementation. Security shall be
embedded throughout all phases of the system development life cycle, assessed during system
acquisition processes, and monitored during system maintenance, including disposal.
To be most effective, information security must be integrated into the system lifecycle from system
inception through system disposal. Regardless of the formal or informal lifecycle methodology
employed, security can be incorporated into information systems acquisition, development and
maintenance by implementing effective security practices in the following areas.
Security requirements for information systems
Security in development and support processes
Test data

IT GOVERNANCE
X X X
Page 84 of 114
Approval Stamp.
Chairman:
3.13.5.1. Security requirements of information systems : The objective of this set of statements is
to ensure that security is an integral part of ADWEAs information systems, and of the
business processes associated with those systems.
3.13.5.1.1. Security requirements analysis and specification
Statements of business requirements for new information systems, or enhancements to
existing information systems shall include specification of the requirements for security
controls. The following points should be considered:
o consideration of business value of and legal-regulatory-certificatory standards
for information assets affected by the new/changed system(s);
o consideration of administrative, technical and physical controls available to
support security for the system(s);
o integration of these controls early in system design and requirements
specification; and
o a formal plan for testing and acceptance, including independent evaluation
where appropriate.
3.13.5.2. Correct processing in applications: This aims to prevent errors, loss, unauthorized
modification or misuse of information in applications.
3.13.5.2.1. Input and output data validation
Data input and output in applications shall be validated to ensure that the data is correct
and appropriate. The following points should be considered:
o use of both automatic and manual methods of data verification and cross-
checking, as appropriate; and
o defined responsibilities and processes for responding to detected errors.
3.13.5.2.2. Control of internal processing
Validation checks shall be incorporated into applications to detect the corruption of
information through processing errors or deliberate acts. The following points should be
considered:

IT GOVERNANCE
X X X
Page 85 of 114
Approval Stamp.
Chairman:
o use of both automatic and manual methods of data verification and cross-
checking, as appropriate; and
o defined responsibilities and processes for responding to detected errors.
3.13.5.2.3. Message integrity
Requirements for ensuring authenticity and protecting message integrity in applications
shall be identified, and appropriate controls implemented.
3.13.5.3. Cryptographic controls: This set of statement aims to protect the confidentiality, integrity
and authenticity of information by cryptographic means.
3.13.5.3.1. Policy on the use of cryptographic controls
ADWEA shall develop use of cryptographic controls for protection of information based on
the points mentioned below :
develop specifications (or applicable standards) based on a thorough risk assessment,
that considers appropriate algorithm selections, key management and other core
features of cryptographic implementations;
cryptographic controls should be applied as appropriate, to data at rest and fixed-
location devices, data transported by mobile/removable media and embedded in mobile
devices, and data transmitted over communications links; and
specification of roles and responsibilities for implementation of and the monitoring of
compliance with the policy.
consideration of legal restrictions on technology deployments.
3.13.5.3.2. Key management
Key management standards and processes shall be implemented to support an
organization's use of cryptographic techniques. The following points should be considered
and supported by relevant procedures:
o distributing, storing, archiving and changing/updating keys;
o recovering, revoking/destroying and dealing with compromised keys; and
o logging all transactions associated with keys.

IT GOVERNANCE
X X X
Page 86 of 114
Approval Stamp.
Chairman:
3.13.5.4. Security of system files :This set of statement aims to ensure the security of critical system
files.
3.13.5.4.1. Control of operational software
ADWEA shall control the installation of software on operational systems, to minimize the
risk of interruptions or corruption of information services. The following points should be
considered:
o updating performed only with appropriate management authorization;
o updating performed only by appropriately trained personnel;
o only appropriately tested and certified software deployed to operational
systems;
o appropriate change management and configuration control processes for all
stages of updating;
o appropriate documentation of the nature of the change and the processes used
to implement it;
o a rollback strategy in place, including retention of prior versions as a contingency
measure; and
o appropriate audit logs maintained to track changes.
3.13.5.4.2. Protection of system test data
Test data shall be selected carefully and appropriately logged, protected and controlled.
3.13.5.4.3. Access control for program source code
Access to program source code shall be restricted. The following points should be
considered:
o appropriate physical and technical safeguards for program source libraries,
documentation, designs, specifications, verification and validation plans; and
o maintenance and copying of these materials subject to strict change
management and other controls.

IT GOVERNANCE
X X X
Page 87 of 114
Approval Stamp.
Chairman:
3.13.5.5. Security in development and support processes: This set of statement aims to maintain
the security of application system software and information.
3.13.5.5.1. Change control procedures
The implementation of changes shall be controlled by the use of formal change control
procedures. The following points should be considered:
o a formal process of documentation, specification, testing, quality control and
managed implementation;
o a risk assessment, analysis of actual and potential impacts of changes, and
specification of any security controls required;
o a budgetary or other financial analysis to assess adequacy of resources;
o formal agreement and approval of changes by appropriate management; and
o appropriate notification of all affected parties prior to implementation, on the
nature, timing and likely impacts of the changes;
o scheduling of changes to minimize the adverse impact on business processes.
3.13.5.5.2. Technical review of applications after operating system changes
When operating systems and processes are changed, critical business processes shall be
reviewed and tested to ensure that there has been no adverse impact.
3.13.5.5.3. Restrictions on changes to software packages
Modifications to software packages shall be discouraged, limited to necessary changes, and
all changes shall be strictly controlled and monitored.
3.13.5.5.4. Information leakage
Opportunities for information leakage shall be appropriately minimized or prevented. The
o risk assessment of the probable and possible mechanisms for information
leakage, and consideration of appropriate countermeasures;
o regular monitoring of likely information leak mechanisms and sources; and
o end-user awareness and training on preventive strategies (e.g., to remove meta-
data in transferred files).

IT GOVERNANCE
X X X
Page 88 of 114
Approval Stamp.
Chairman:
3.13.5.5.5. Outsourced software development

Outsourced software development shall be appropriately supervised and monitored by the
organization.
3.13.5.6. Technical vulnerability management : This set of statement aims to reduce risks resulting
from exploitation of published technical vulnerabilities.
3.13.5.6.1. Control of technical vulnerabilities
Timely information about technical vulnerabilities of information systems used by the
organization shall be obtained, evaluated in terms of organizational exposure and risk, and
appropriate countermeasures taken. The following points should be considered:
o a complete inventory of information assets sufficient to identify systems put at
risk by a particular technical vulnerability;
o procedures to allow timely response to identification of technical vulnerabilities
that present a risk to any of the organization's information assets, including a
timeline based on the level of risk;
o defined roles and responsibilities for implementation of countermeasures and
other mitigation procedures.
As per the Roles and Responsibilities section mentioned at the end of the overall Information Security
policy.
Item Description

IT GOVERNANCE
X X X
Page 89 of 114
Approval Stamp.
Chairman:
3.14. [ITD-IS-PL-014] Information Security Incident Management Policy
To ensure a consistent and effective approach to the management of information security incidents,
including communication on security events and weaknesses.
Ensure personnel are trained and equipped to detect, report, and respond to adverse events, providing
the foundation for effective Information Security Incident Management.
Build an effective, timely, repeatable methodology for managing information security incidents that
meets legal requirements and is continually improved.
To ensure that the Information security incident response is integrated with the overall risk
management process to provide the capability to update the risk management portfolio.
3.14.3. Background
No matter the extent of our defenses, it inevitable that Information Security Incidents will occur. For
this reason, establishing, periodically assessing, and continually improving incident management
processes and capabilities is very important.
These are some of the fundamental elements of any Incident management program which can act as
our guidelines for developing an appropriate IS incident management policy and process. They are listed
below.
Define what constitutes an information security incident and review how varied incidents
can be classified.

IT GOVERNANCE
X X X
Page 90 of 114
Approval Stamp.
Chairman:
Consider what constitutes an information security incident that requires special handling
(vs. common security events). Review incident classification schemes that allow for aligning
handling procedures to potential impacts and risks.
Identify and establish essential roles and procedures needed for effective incident
management.
Evaluate the technical and operational capabilities of your organization to detect and
respond to security incidents. Consider how senior management support can be gained to
formalize effective incident management processes. Formulate procedures and workflow
for effectively addressing incidents throughout their lifecycle.
Create effective communication, coordination, and reporting plans for broad spectrum of
incidents including data breach events.
Identify key partners and stakeholders and levels of communication and engagement.
Review the legal and contractual communication requirements associated with data types
that may be involved in Information Security Incidents.
Adapt and learn from security incidents and strive for continual improvement by
identifying and planning for training needs and enhancement of response capabilities.
3.14.5.1. Reporting information security events and weaknesses : This set of statement aims to ensure
information security events and weaknesses associated with the ADWEAs information and
information system assets are communicated in a manner to allow appropriate corrective
actions to be taken.
3.14.5.1.1. Reporting information security events

Information security events shall be reported through appropriate channels as quickly as
possible. The following points should be considered:
establishment of formal event reporting process(es) and procedure(s), setting out
actions to be taken and points of contact;
awareness on the part of all employees, contractors and third-party users to report
security events and weaknesses through the established channels;

IT GOVERNANCE
X X X
Page 91 of 114
Approval Stamp.
Chairman:
awareness of the requirement to report as quickly as possible, with sufficient detail to

allow a timely response;
suitable feedback processes to ensure that those reporting events are appropriately
notified of results.
3.14.5.1.2. Reporting security weaknesses
All employees, contractors and third party users shall be required to note and report any
observed or suspected security weaknesses in systems or services as soon as possible. The
easy, accessible channels for reporting, the availability of which is clearly communicated
to employees, contractors and third parties;
reasonable awareness on the part of employees, contractors and third parties of
common signs and symptoms of security events;
reporting requirement extends to malfunctions or other anomalous events that might
indicate a security weakness;
awareness on the part of employees, contractors and third parties that they shall report,
but not attempt to test, a suspected security vulnerability.
3.14.5.2. Management of information security incidents and improvements :This set of statement
aims to ensure a consistent and effective approach is applied to the management of
information security events and incidents.
3.14.5.2.1. Responsibilities and procedures

Management responsibilities and procedures shall be established to ensure a quick,
effective and orderly response to information security incidents. The following points
processes to ensure that adequate review and reporting is done based on the monitoring
of detected events and incidents;
procedures designed to respond to different types and severities of incident, including
appropriate analysis and identification of causes, containment.

IT GOVERNANCE
X X X
Page 92 of 114
Approval Stamp.
Chairman:
Procedures for communication with those actually or potentially affected by the

incident.
Reporting of the incident to appropriate authorities.
Planning and implementation of corrective action to prevent reoccurrence as
appropriate.
Collection and use of audit trails and similar evidence as part of the incident
management and investigation process, and appropriate management of this evidence
for use in subsequent legal or disciplinary proceedings.
Formal controls for recovery and remediation, including appropriate documentation of
actions taken.
3.14.5.2.2. Learning from information security incidents
There shall be mechanisms in place to enable the types, volumes and impact of information
security incidents to be quantified and monitored. The following points should be
considered:
routine sharing of data on information security incidents among the parties responsible
for receiving reports and managing investigations.
periodic reports summarizing the data related to information security incidents.
3.14.5.2.3. Investigation of incidents
Where disciplinary or legal action may be part of the follow-up to an information security
incident, any investigation shall be initiated in a manner that follows documented
procedures and conforms to accepted practices. The following points should be considered:
specifying who may request an investigation, and on what basis;
specifying who may initiate an investigation, including collection of evidence;
specifying the necessary documentation to initiate an investigation, and the
documentation required as the investigation proceeds;
procedures for securing and maintaining the integrity of investigatory records;
observing appropriate procedures to assure "chain of custody" for any information
collected.

IT GOVERNANCE
X X X
Page 93 of 114
Approval Stamp.
Chairman:
As per the Roles and Responsibilities section mentioned at the end of the overall Information security
policy.
Item Description

IT GOVERNANCE
X X X
Page 94 of 114
Approval Stamp.
Chairman:
3.15. [ITD-IS-PL-015] Information Systems Continuity Planning Policy
Information system continuity planning provides a managed, organized method for the deployment of
resources and procedures to assure the continuity of critical business operations under extraordinary
circumstances, including the maintenance of measures to assure the privacy and security of its
information resources. The key objective is to ensure timely resumption from, and if possible
prevention of, interruptions to business activities and processes caused by failures of information
systems.
3.15.3. Background
Organizations are vulnerable to a variety of natural and man-made emergencies, disasters, and
hazards. Recognizing that not all events can be prevented and some risks may be deemed acceptable,
proper planning is essential to maintain or restore services when an unexpected or unavoidable event
disrupts normal operations.
These are some of the fundamental elements of any Critical functions continuity program which can
act as guidelines for developing an appropriate Information Systems Continuity related policy and
process. They are listed below.
Obtain commitment and authority from organizational Leadership. High level support is
essential for building the cross functional teams that are needed to prepare and deploy
the plan.
Establish a planning team for each business unit.
Perform a risk assessment in each unit.
Identify critical resources:

IT GOVERNANCE
X X X
Page 95 of 114
Approval Stamp.
Chairman:
o People Identify all support staff, and establish a chain of succession for key
personnel.
o Places Identify key buildings, and plan alternate locations for workers and
equipment.
o Systems Perform a business impact analysis to prioritize systems in terms of
criticality.
o Other Identify other critical assets required for normal business operations.
Determine continuity and recovery strategies within each unit.
Train staff on what to do in case of a disaster.
Test system recovery procedures at different levels.
Create a communication plan.
Review the Information systems continuity plan annually.
3.15.5.1. Information security aspects of Information systems continuity management: The objective
is to ensure timely resumption from, and if possible prevention of, interruptions to business
activities and processes caused by failures of information systems.
3.15.5.1.1. Information systems continuity management process

A managed process shall be developed and maintained for Information systems continuity
throughout ADWEA. The following points should be considered:
o development and documentation of Information systems continuity plans and
processes, including assignment of responsibilities and incorporation into the
ADWEAs general processes and structure; and
o regular testing and updating of Information systems continuity plans and
processes.

IT GOVERNANCE
X X X
Page 96 of 114
Approval Stamp.
Chairman:
3.15.5.1.2. Information systems continuity and risk assessment

Events that can cause interruptions to business processes shall be identified, along with the
probability and impact of such interruptions and their consequences for information
security. The following points should be considered:
o identification of information assets involved in critical business processes;
o identification of all significant risk/risk categories associated with critical assets,
including the probability and probable impact on operations in terms of scale,
likely damage and recovery period;
o full involvement of information owners of significant organizational assets in the
assessment process;
o identification of acceptable and unacceptable losses and interruptions; and
o formal documentation of the assessment's results, and use it as an input in the
development of Information systems continuity plans .
3.15.5.1.3. Developing and implementing Information systems continuity plans
Information systems continuity plans shall be developed and implemented to maintain or
restore operations and ensure availability of information at the required level and in the
required time. The following points should be considered:
o Identification and agreement on all responsibilities and operational procedures;
o specification of the disaster recovery procedures to effect recovery and
restoration of business processes;
o a data backup plan to ensure recovery of all data following process restoration,
including the ability to replicate exact copies of data in its state prior to disruption
of operations;
o specification of any alternative operational procedures to follow post recovery
and restoration, including methods for accessing all critical data;
o documentation of the above plan elements;
o appropriate education and awareness for staff on the plan elements;
o testing and updating of the plan.

IT GOVERNANCE
X X X
Page 97 of 114
Approval Stamp.
Chairman:
3.15.5.1.4. Information systems continuity planning framework

A single framework of Information systems continuity plans shall be maintained to ensure
that all plans are consistent, consistently assess information security requirements, and to
identify priorities for testing and maintenance. The following points should be considered:
o specification of conditions and criteria for activating the plan; and
o formal assignment of responsibilities for making assessments about plan
activation, choices among emergency procedures and processes, resumption
procedures, etc.
3.15.5.1.5. Testing, maintaining and re-assessing Information systems continuity plans
Information systems continuity plans shall be tested and updated regularly to ensure that
they are up to date and effective. The following points should be considered:
o Assuring that all persons with significant responsibilities under the plan(s) are
aware of and competent to perform their responsibilities;
o a range and frequency of testing exercises, from table-top to complete
rehearsals, performed as necessary to ensure awareness and competence; and
o regular reviews and updating of the plan(s) considering testing results.
As per the Roles and Responsibilities section mentioned at the end of the overall Information Security
policy.
Item Description

IT GOVERNANCE
X X X
Page 98 of 114
Approval Stamp.
Chairman:
4. ROLES AND RESPONSIBILITIES
Role Description/ Responsibilities
ISGC The role of the ISGC is to coordinate corporate security initiatives at

the executive level and thus enable ADWEA to optimize spending,
(Information
manage their infrastructure and minimize security risk.
Security
Governance
Committee) The ISGC is responsible for the following:
Work with all strategic partners to develop, coordinate and follow up a
national information security plan and program based on effective risk
management to enhance the protection of information and assets in
coordination with the relevant authorities.
Ratify the findings of security-related assessments and serve as the
primary oversight function to ensure corrective actions are addressed.
Ratify Information Security Plans, Risk Assessments and Information
Security Continuity Plans and verify performance against defined
objectives by reviewing IT Security Program KPI's.
Ensure security controls are in place to maintain and safeguard the
integrity of information resources by balancing risk assessment, best
practice information security techniques and national security
standards.
Provide guidance and leadership to maintain and improve the
confidentiality, integrity and availability of information.
Serve as a point of escalation for security-related issues and concerns.
Ratify assignment of information ownership, classification of principle
information assets and information lifecycle.
Ratify the information security policy & supporting policies and ensure
their effectiveness.
Assessing any requests for policy exceptions from individual business
units.

IT GOVERNANCE
X X X
Page 99 of 114
Approval Stamp.
Chairman:
Verify the effectiveness of information security awareness and training

activities.
Act as the primary management-oriented conduit for security related
matters to the board and other senior stakeholders.
CISO The CISO has the overall responsibility for the management of
information security.
(Chief
Information
Security
He is responsible for the following:
Officer)
Develop and manage an information security plan that identifies the
information security environment and controls to be implemented to
protect information assets and monitor these internal controls and
adjust/improve when required.
Define and manage information security risk assessments and risk
treatment plan.
Review/Approve IT Security business cases, request funding and
resources, and provide progress report to ISGC.
Identify processes and schedule for monitoring, tracking and reporting
IT Security Program success.
Manage creation and changes to IT Security Program Charter
documents
Coordinator for facilitating Risk, Incident and Audit management
activities
Interface with operations, customers and vendors to communicate IT
Security Program policy, process and procedure changes.
Escalate major IT Security Program issues to ISGC.
Communicate Information Security Policy deviations or non-
conformance issues to ISGC.
Provide ways to improve efficiency and effectiveness of the
information security function.

IT GOVERNANCE
X X X
Page 100 of 114
Approval Stamp.
Chairman:
Collect and analyze performance and compliance data relating to

information security and information risk management.
Provide guidance to IT Security Team
Set Capability Requirements and Training Plans for IT Security Team
members.
Build IT Security communications plan.
IT Security Coordinate Risk, Incident and Audit management activities.

Analyst
Conduct Threat, Vulnerability, and Risk Assessments
Contribute to development of IT Security Program Implementation
Plans
Identify and document security risks
Create uniform set of procedural controls
Monitor and report risks and status to CISO.
Manage IT implementation plan and remediation activities
Execute Security Incident Management and Response activities.
Execute IT Security communications plan
Information Information owner is defined as a person(s) with statutory or

Owner operational authority for specific information or information
resources. The information owner is responsible for:
Accountable for the protection of information assets under their
authority.
Classify and define the lifecycle of information under their authority,
in accordance with ADWEA information classification categories.
Approve access to information resources and periodically review
access lists.
Review security controls applied to information under their authority

IT GOVERNANCE
X X X
Page 101 of 114
Approval Stamp.
Chairman:
Justify, document, and be accountable for exceptions to security

controls.
Serve as trusted advisors and monitoring agents regarding
information within their authority.
System System owner is defined as an individual, a department responsible for

Owner implementing the defined controls and access to an information
resource.
The system owner is responsible for:
Procurement, development, integration, modification, operation,
maintenance, and disposal of an information system.
Address the operational interests of the Information owner and
ensure compliance with information security requirements
Responsible for the development and maintenance of the system
specific security plan and ensures that the system is deployed and
operated in accordance with the agreed-upon security controls.
Department Accountable for supporting the Information Security Policy and

Managers ensuring staff compliance in their respective departments.

IT GOVERNANCE
X X X
Page 102 of 114
Approval Stamp.
Chairman:
Information Information Security Business Team is defined as a group of

Security individuals across different departments nominated by their
Business department head.
Team The Information Security Business Team is responsible for the
following in their respective department:
Monitor Information Security Policies compliance
Monitor Data classification
Report noncompliance to their department manager and CISO.

IT GOVERNANCE
X X X
Page 103 of 114
Approval Stamp.
Chairman:
5. EXCEPTIONS AND CONDITIONS
All the defined security policies are applicable for the new Information systems with no
exception. However, where the above security measures cannot be implemented in existing
systems due to older technology or system limitations, the policy recommends to enforce the
measures to an extent of acceptable limit without affecting the performance, integrity &
availability of the Information systems.
Temporary override of security controls such as Application Whitelisting, DLP, HIPS, etc. may
be allowed for legitimate job requirements by authorized personnel with approval.
Security updates / solutions including new Virus definitions, Operating system patch etc. shall
be qualified / approved by the respective system Vendors as and where necessary .

IT GOVERNANCE
X X X
Page 104 of 114
Approval Stamp.
Chairman:
6. REFERENCES
Item Description

IT GOVERNANCE
X X X
Page 105 of 114
Approval Stamp.
Chairman:
7. DEFINITIONS
Glossary Acronym Definition

(if any)
Information InfoSec Preservation of the availability, integrity, and
Security confidentiality of information
Availability A Property of being accessible and usable upon

demand by an authorized entity
Integrity I Property of protecting the accuracy and
completeness of asset
Confidentiality C Property that information is not made
available or disclosed to unauthorized
individuals, entities, or processes
Policy Overall intention and direction as formally
expressed by management
Process Set of interrelated or interacting activities
which transforms inputs into outputs
Procedure Specified way to carry out an activity or
process
Exception Any deviation from security policies and
standards
Process Owner Person or role who has ultimate responsibility
for the performance of a process
Standard Technical specification contained in a
document consisting of definitions, limits, or
rules which have been approved and are
monitored for compliance
System A combination of related parts organized into
a complex whole; a method or set of
procedures for achieving something, including
both services and processes
Control means of managing risk, including policies,
procedures, guidelines, practices or
organizational structures, which can be of
administrative, technical, management, or
legal nature

IT GOVERNANCE
X X X
Page 106 of 114
Approval Stamp.
Chairman:
Risk set of components that provide the

management foundations and organizational arrangements
framework for designing, implementing, monitoring,
reviewing and continually improving risk
management throughout the organization
Risk statement of the overall intentions and
management direction of an organization related to risk
policy management
Risk owner person or entity with the accountability and
authority to manage a risk
Stakeholder person or organization that can affect, be
affected by, or perceive themselves to be
affected by a decision or activity
Level of risk magnitude of a risk or combination of risks,
expressed in terms of the combination of
consequences and their likelihood
Risk evaluation process of comparing the results of risk
analysis with risk criteria to determine
whether the risk and/or its magnitude is
acceptable or tolerable
Residual risk risk remaining after risk treatment
Level of risk: magnitude of a risk or combination of risks,
expressed in terms of the combination of
consequences and their likelihood
Risk evaluation: process of comparing the results of risk
analysis with risk criteria to determine
whether the risk and/or its magnitude is
acceptable or tolerable
Residual risk: risk remaining after risk treatment
Cloud Computing the practice of using a network of remote
servers hosted on the Internet to store,
manage, and process data, rather than a local
server or a personal computer.

IT GOVERNANCE
X X X
Page 107 of 114
Approval Stamp.
Chairman:
8. ACCEPTABLE USE POLICY SECTION:
8.1. Policy summary
This policy is to outline the acceptable use of computing and communications resources at ADWEA.
These rules are in place to protect the employee and ADWEA. Inappropriate use exposes ADWEA
to risks including malware attacks and compromise of network systems and services.
8.2. Aplicability
8.3. Detailed policy requirements
8.3.1. General
a) Users are responsible and accountable for the information assets and services and their use
in ADWEA. Any action carried out by users or under their user accounts is considered as their
responsibility.
b) Information assets and services in ADWEA shall be used for business purpose, shall not
conflict with the religious, political and moral values of UAE and shall comply with all the
local and federal rules and regulations.
c) Users shall not use or access any information asset and services that they are not authorized
to. Users shall not bypass any restriction on assets or access in ADWEA.
d) Assets and services usage may be monitored for security or operational purposes.
e) ADWEA reserves the right to audit the use of assets and services on a periodic basis to ensure
the compliance to ADWEA Policies.

IT GOVERNANCE
X X X
Page 108 of 114
Approval Stamp.
Chairman:
f) In case this policy does not apply on certain assets, users shall immediately refer back to
ADWEA Information Security.
8.3.2. Antivirus (end point) Use policy
a) Corporate provided Endpoint Protection product shall be operated in real time on all devices.
The product shall be configured for real time malware and network threat protection and
must be kept up-to-date.
b) Third party contractors, consultants and vendors computers connected to ADWEA network
must run an approved and up-to-date Endpoint Protection product with real time malware
and network threat protection.
c) Users shall not install an unapproved Endpoint Protection or Antivirus product, or try to alter
the configuration or disable the existing product.
d) Endpoint Protection full scans shall be done a minimum of once per week on all user
workstations and servers.
e) Users should ensure that Endpoint Protection full scan is performed on all devices being used
by them.
f) Devices not fully scanned or definition not updated at least once per week should be
disconnected from the network.
g) External or downloaded materials shall be malware/virus-scanned, using the provided
corporate Endpoint Protection product.
h) Users shall notify the IT Service Desk immediately if they suspect that a malware/virus has
been released into any computing resources within ADWEA.
i) If an infection is found or suspected, the machine will be disconnected from the network
until verified as clean.
8.3.3. Password Use policy
a) Passwords shall confirm to ADWEAs requirements for length and complexity.

IT GOVERNANCE
X X X
Page 109 of 114
Approval Stamp.
Chairman:
b) Default passwords shall not be used.

c) Passwords shall be kept confidential and secured at all times.
d) If you suspect your password has been compromised inform the IT Service Desk
immediately.
8.3.4. Use of Intranet and Internet
a) Users shall apply due care when using any of the specific provided facilities in ADWEA, such
as Internet and Intranet.
b) Users shall be aware of the classified information in ADWEA as per the Asset Management
Policy and refrain from publishing such information in the Intranet/Internet and shall not
share or publish any statement which can impact ADWEAs interests or reputation.
c) Users shall not download, install or use any unauthorized software on the computing devices
provided to them by ADWEA. All new software requests shall go through IT Service Desk for
authorization and installation.
d) It is strictly prohibited to use Proxy Avoidance tools and services.
e) Users should not connect networked devices directly to the internet by using an external
modem or similar devices. Internet traffic going directly to the internet is not protected by
ADWEA security controls and expose ADWEA network to significant security risks.
f) If internet is used as a source for information in any ongoing activity or project in ADWEA,
information source shall be verified before being used for business purposes.
g) It is prohibited to visit internet sites and services that:
Contradict the ethics and morals of the UAE such as Adult material, Dating, etc.
Contains material which expresses hate to religions.
Not in line with UAE Laws.
Allow or assist users to access Blocked Content.
Constitute a risk such as Phishing websites, Hacking tools & Spywares.

IT GOVERNANCE
X X X
Page 110 of 114
Approval Stamp.
Chairman:
Relevant to gambling.
Provide information on purchasing, manufacturing, promoting and using illegal
drugs.
Promote change or reform in public policy, public opinion, social practice,
economic activities and relationships.
Offer information about or promote or are sponsored by groups advocating anti-
government beliefs or action.
h) ADWEA management respects copyright when downloading files and documents. Users shall
refrain from sharing copyrighted material at all times.
8.3.5. Use of Email
a) Users shall not use personal email or third-party email systems (such as Gmail, Yahoo Mail,
Hotmail, Live, Outlook, iCloud, etc.) to conduct ADWEA business, or to store business data
and emails.
b) Users shall not accept official business-related emails from 3rd parties using personal email
address (such as Gmail, Yahoo Mail, Hotmail, Live, Outlook, iCloud, etc.)
c) Users shall not share any confidential information through email as per the Asset
Management Policy, unless secure email controls have been implemented or password
protected prior to being exchanged.
d) Users shall use email forwarding with due care.
e) All emails shall contain approved ADWEA signatures and disclaimers.
f) Users shall not use ADWEAs email address to register on any website on the internet or for
any non-business purposes.
g) Users shall not use the automatic forwarding option to/from external email address.

IT GOVERNANCE
X X X
Page 111 of 114
Approval Stamp.
Chairman:
h) Emails or other forms of electronic communication containing the following are strictly
prohibited:
Chain emails/jokes/videosetc.
Spam
Harmful attachments or content, e.g. virus, wormetc.
Defamatory, offensive, racist or obscene remarks
Conflict with the religious, cultural, political or moral values of the UAE
i) Email attachments shall be content scanned for incoming/outgoing emails.
j) Any misuse of the email service, information security alerts and warnings at ADWEA shall be
immediately reported to the IT Service Desk.
k) Any unauthorized use or forging of email header information is strictly prohibited.
8.3.6. Mobile Device Usage
a) Employees may use their mobile devices to access ADWEA services as per Bring Your Own
Device Policy in ADWEA.
b) Corporate mobile devices provided by ADWEA shall be password protected.
c) Corporate mobile devices provided by ADWEA should be only used for business purposes
only.
d) Users shall always keep corporate mobile devices safe and protect them from theft.
e) Users shall prevent any attempt of shoulder surfing by unauthorized users while using
corporate mobile devices in public places.
f) Users should follow Malware protection guidelines provided in the Antivirus Policy while
using any corporate mobile device.
g) Users shall follow the guidelines provided in the Teleworking Security Policy for secure
remote access while working from outside ADWEA networks.
h) Corporate smartphone users are responsible to back up the data on their devices.

IT GOVERNANCE
X X X
Page 112 of 114
Approval Stamp.
Chairman:
i) Users shall follow the manufacturers instructions when using the corporate mobile devices,
e.g. protection against heat and exposure to electromagnetic fields.
j) Corporate mobile devices provided by ADWEA shall never be shared with others.
k) Mobile devices used to access or store ADWEA data shall never be jail broken or rooted or
cracked.
l) ADWEA reserves the right to stop or disconnect any ADWEA services running on the mobile
devices without notifying the user.
m) Any lost or stolen corporate mobile device shall be immediately reported to IT Service Desk.
8.3.7. Clean Desk
a) Desks shall be kept clear while away, and data classified as Restricted or above shall be stored
in locked drawers or cabinets. Keys used to lock drawers or cabinets shall not be left at an
unattended work area.
b) Laptops shall be either locked with a locking cable or locked away in a fixed and secure drawer
or cabinet when the work area is unattended or at the end of the workday. It is the user
responsibility to ensure all security precautions are taken.
c) Passwords shall not be posted on or under a computer or in any other accessible location.
d) Information of classification of Restricted or above shall not be left on meeting room
whiteboards and tables after meetings have been concluded.
e) Users shall collect printed documents immediately from the printers, fax machines and
photocopiers and refrain from leaving the sensitive data and confidential information in the
printing facilities.
f) Photocopiers, printers and other printing machines available in the printing facilities of ADWEA
shall only be used for business purposes.

IT GOVERNANCE
X X X
Page 113 of 114
Approval Stamp.
Chairman:
8.3.8. Clear Screen
a) Computers and devices provided by ADWEA or used to access or store ADWEA data shall be
screen locked and password protected when unattended for any period of time
b) Users shall properly log out from systems and applications when session is finished.
c) Users shall save critical business data on ADWEA share drive .
8.3.9. Voip
a) VoIP Services that use the Public Internet are prohibited. This includes but not limited to the
services or software or hardware that uses the Public Internet as means of communications.
8.3.10. Removable Media
a) Users should not plug personal removable media into corporate devices, and should not plug
removable media containing corporate data into their personal devices.
b) Removable media containing data classified as Confidential or higher, shall be encrypted.
c) Removable media containing corporate data classified as Confidential or higher shall not
leave ADWEA premises unless required in the performance of an authorized assigned duties
and a record shall be kept.
d) User shall not plug an unknown removable media into corporate devices or devices
connected to ADWEA Network.
8.3.11. Compliance
a) Users shall comply with this policy and any other related acceptable use policies for any
specific information asset.

IT GOVERNANCE
X X X
Page 114 of 114
Approval Stamp.
Chairman:
b) Each individual is responsible for his/her own actions.

c) Any user aware of a policy violation or suspicious activity shall immediately report the
violation to their supervisor, the ADWEA Information Security Office and the Human
Resources Manager.
d) Each user must sign an acknowledgement of receipt and understanding before accessing
ADWEA information systems.
8.3.12. Acknowledgement of Receipt and Understanding
I hereby certify that I have read and fully understand the contents of the Acceptable Use Policy.
My signature below certifies my knowledge, acceptance and adherence to ADWEA Group Acceptable Use Policy.
Please use CAPITAL letters
Name:
_________________________________________________________________
Company:
_________________________________________________________________
File Number:
_________________________________________________________________
Date:
_________________________________________________________________
Signature:
_________________________________________________________________

ADWEA IMS IT MGMT PLC v1.14

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

ADWEA IMS IT MGMT PLC v1.14

Загружено:

Авторское право:

Доступные форматы

Effective Date: Xst of Xxx 20XX

Volume Chapter Version

Information Security Policy v1.0

Volume Chapter Version

Prepared By ADWEA information security

Reviewed By IMS Representative

Information Security Governance

Endorsed By Director General

Volume Chapter Version

CHANGES HISTORY SHEET

Doc. Page New Issue Doc. Change

Volume Chapter Version

INFORMATION SECURITY POLICY V1.0 .................................................................................................. 1

Volume Chapter Version

3.3.5 Detailed policy requirements ................................................................................................21

Volume Chapter Version

3.6.6. Responsibilities and accountabilities ..................................................................................33

Volume Chapter Version

3.9.7. Any References....................................................................................................................55

Volume Chapter Version

Volume Chapter Version

5. EXCEPTIONS AND CONDITIONS .............................................................................................. 103

Volume Chapter Version

Volume Chapter Version

3.1. [ITD-IS-PL-001] Information Security Requirements Policy

3.1.1 Policy summary

Volume Chapter Version

3.1.4 Guiding principle

Information, software, infrastructure, people, locations, property, reputation, and intangible

3.1.5 Detailed policy requirements

Volume Chapter Version

Volume Chapter Version

3.1.6 Responsibilities and accountabilities

Volume Chapter Version

3.1.7 Any References

Volume Chapter Version

3.2. [ITD-IS-PL-002] Information Security Risk Management Policy

3.2.1 Policy summary

3.2.4 Guiding principle

Effective enterprise governance and management of IT risk:

Volume Chapter Version

Promotes fair and open communication of IT risk

3.2.5 Detailed policy requirements

Volume Chapter Version

Identifying vulnerabilities related to the information and information systems.

Volume Chapter Version

It will ensure that no controls are overlooked by producing the Statement of

Volume Chapter Version

3.2.6 Responsibilities and accountabilities

3.2.7 Any References

Volume Chapter Version

3.3. [ITD-IS-PL-003] Awareness and Training Policy

3.3.1 Policy summary

3.3.4 Guiding principle

3.3.5 Detailed policy requirements

Volume Chapter Version

general obligations under various information security policies, standards, procedures,

Volume Chapter Version

3.3.6 Responsibilities and accountabilities

3.3.7 Any References

Volume Chapter Version

3.4. [ITD-IS-PL-004] Human Resources Security Policy

3.4.1 Policy summary