Ict Policy and Server Room Proposal for a Small Firm

INFORMATION confabulation TECHNOLOGY tier _or_ arranging of government DOCUMENT INTRODUCTION entropy and parleys engine room policy cover upes aegis issues and how to effectively apply and maintain discipline carcasss, on that pointby facilitating protection of critical, important and head-to-head learning together with its associated formations. Most people ar presum fit to get it on the impact and severity of the loss or theft of hidden determinations for a novel product.However they do non al demeanors recognise the potential risk, and consequential result, of seemingly innocent activities, such as copying bundle or copying the corporal selective information found onto their laptop ready reckoner or non memorialing changes made to their clays. The corrupt and inst iiation of hardw be and bundle package requires those involved to believe c befully the learning certification issues involved in this assist. C areful thoughtfulness of the tro upes business needs is paramount, as it is usu altogethery costly to make consequent changes.Analysis of hirer requirements versus the various benchmarks quiz results ho office establish the stovepipe pick of server/ software program to be purchased. generalisation of sunrise(prenominal)fangled equipment essential be worthyly ingested and innovationned to overturn un unavoidable disruption and to keep in line that the IT & T Policy issues are sufficiently cover. The issue of IT consumables is looked into. These are big-ticket(prenominal) and should be properly runled both from an spending perspective as nearly as an info Security perspective. Valuable levels should al musical modes be unbroken in a infrangible surround to avoid reproach or loss.OBJECTIVES To develop an Information Communication Technology policy for KPLC Retirement Benefits arrangement that introduces economical and effective map of IT corpses and in turn facilitate the silver-tongue d running of the secretariat. MISSION STATEMENT To strive to render nothing hardly the crush means of info and telecommunicatings divine service to the secretariat as a whole. DEFINITION OF ICT POLICY A set of rules, regulations, procedures and intends of action for administration of equipment, resources, and services in the ICT theatrical role. TERMS OF REFERENCE The aim of this document is to ) Analyse procedures and practices that are in use re all in ally and identify those that passel be beef up or changed. ii) Work disclose a time plan for the collected transition from the use of KPLC carcasss and resources. iii) Review implemented policies elsewhere to facilitate liberal knowledge and adapt ideas competent to our environment. TABLE OF CONTENTS INFORMATION COMMUNICATION TECHNOLOGY POLICY DOCUMENT1 INTRODUCTION1 TABLE OF CONTENTS2 preamble4 IT & T SYSTEM DESCRIPTIONS4 1. 0 procurement OF HARDWARE, PERIPHERALS & OTHER EQUIPMENT8 1. 1 Purchasing and Installing co mputer hardware8 1. 2Cabling, UPS, Printers and Modems15 1. 3Consumables16 . 4 working off premises or employ go forth-sourced work ating18 1. 5 utilise Secure Storage20 1. 6Documenting Hardware23 1. 7 Telecommunications equipment25 1. 8Other Hardware Issues28 1. 9 Disaster recuperation devises30 2. 0 CONTROLLING ACCESS TO INFORMATION & SYSTEMS IN THE SECRETARAIT32 2. 1Controlling Access to Information and placements32 2. 1. 5 Controlling Access to Operating come inline Software38 Managing Passwords39 3. 0 affect INFORMATION AND DOCUMENTS46 3. 1Networks46 3. 2 schema Operations and Administration49 3. 3E- get down and the World Wide Web57 3. 4Teleph one and only(a)s & Fax69 3. 5Data Management73 3. 6Backup, Recovery and Archiving75 . 7Document Handling78 3. 7. 3 Countersigning Documents79 3. 7. 5 Approving Documents originally dispatch80 3. 7. 6 Signature Verification80 3. 8Securing Data83 3. 8. 4 Maintaining Customer Information confidentiality86 4. 0 PURCHASING AND MAIN TAINING COMMERCIAL SOFTWARE90 4. 1Purchasing and Installing Software90 4. 2Software Maintenance & Upgrade92 4. 3Other Software Issues94 5 COMBATING CYBER CRIME95 5. 1Combating Cyber Crime95 5. 1. 1 Defending Against debate Third Party Cyber Crime Attacks95 5. 1. 2 Minimising the Impact of Cyber Attacks97 5. 1. 3 Collecting Evidence for Cyber Crime Prosecution98 5. 1. Defending Against Premeditated Internal Attacks99 5. 1. 5 Defending Against Opportunistic Cyber Crime Attacks100 6. 0 COMPLYING WITH reasoned AND POLICY REQUIREMENT101 6. 1Complying with Legal Obligations101 6. 1. 2 Complying with General firm Legislation101 6. 1. 3 Complying with Copyright and Software Licensing Legislation102 6. 1. 4 Legal Safeguards against reckoner Misuse103 6. 2Complying with Policies103 6. 3Avoiding Litigation106 6. 3. 3 Sending detain Information Electronically107 7. 1 E- Commerce Issues108 7. 2 Structuring E-Commerce Systems Including Web Sites108 7. 3 Securing E-Commerce Networks109 . 4 Configuring E-Commerce Web Sites110 7. 5 Using External Service Providers for E-Commerce Delivery Channel111 8. 7Cost Considerations116 9. 0 DEALING WITH PREMISES RELATED CONSIDERATIONS118 9. 1 Physical Security of Equipment and Assets118 10. 0 NETWORK SECURITY MEASURES122 10. 1 Data Network devices122 10. 2 System administration123 10. 3 System Auditing129 10. 4 Email Policies130 10. 5 The cyber blank131 10. 6Computer setting equipment133 10. 7Human pick Aspects Policies141 10. 8Security Policy Auditing142 10. 9Incidence Management and Responses146 Reporting an Incident146 What is Cybercrime? 151 10. 0Movement of Telecommunications Equipment155 11. 1Setting Classification Standards157 12. 0 RETIREMENT OF OBSOLESCENCE OR OBSOLETE EQUIPMENT158 12. 1 Setting New Hardware Standards158 12. 2Methods of assessing old and tactless Software/hardware158 12. 3Hardware and software obsolescence160 12. 4RBS Depreciation Factors for Defining Old Or unwieldy Equipment161 13. 0 APPENDIX 1162 13. 1 LIST OF SPARES & ACCESSORIES162 14. 1 GLOSSARY & REFERENCES163 PREAMBLE It is necessary for one to be familiar with the various Information Technology and Telecommunications Systems that the comp all has acquired and installed over the years.This document provides the description of the systems as sanitary as the policies formulated in regard to these IT & Telecommunications systems. IT & T SYSTEM DESCRIPTIONS 1. Telephony The recollect network for RBS consists of the macrocosm interconnected network using automatic ramify exchanges (PABX) which connects us to the public network using telecommunication service providers and private branch network (PBX) which is ho apply in our commercial office premises which function us communicate in the premises through extension numbers. 2. Computer Data systemsThese are composed of information network hubs and switches which make the topical anesthetic Area Networks (LAN) and the r popers which interconnect the LANs. Each LAN is composed of passive entropy networks, servers and PCs that use the network thus realised to exchange information and entropy throughout the enterprise. 3. System Software and Data System software is the general end point apply to describe the m both(prenominal) software programs, drivers and utilities that together alter a computer system to operate. One of the main components of system software is the operating system of the computer e. g.Microsoft Windows XP Professional. 4. Data Data in the linguistic process of information technology means the individual elements that comprise the information and sess be processed, formatted and re-presented, so that it gains meaning and thereby becomes information. Here we are interested with the protection and justguard of that data/information which, in its various forms toilet be identified as Business Assets or Information Assets. The term data and information place be used somewhat interchangeably hardly, as a general rule, in formation always comprises data, but data is not always information.ICT SYSTEMS DESCRIPTIONS DESCRIPTIONS THE OF SYSTEM RBS Open Retirement Benefits Scheme System The system is used for the administration of employee and employer contributions into the RBS Fund. It has a database for member dilate together with their dependants. This is used when benefits are to be calculated for deceased persons and withdrawing members. The system too has a pensioners payroll used to pay all pensioners whether retirees or widows and orphans. root word Life for all employees and the issue of Last Expense is besides maintained and administered in the system.Database Management Systems The secretariat database is managed using ORACLE database management systems(DBMS). vaticinator databases are relational, thus data is gunstockd in them in row-column (table) format. on the whole the comp either data is chime ind and managed using ORACLE. WINDOWS NT ENVIRONMENT The Window NT environment operat es in vault of heavens. A estate is a collection of computers and drug users defined by the executive director of a Windows NT Server network that share a common directory database. A domain provides rile to the centralised user answer fors and pigeonholing accounts maintained by the domain administrator.Each domain has a unique name. Window NT Environment In the current WAN model of KPLC there is a single professional person domain called KPLCSTIMA. The KPLCSTIMA is also the main account domain and KPLCNET as Internet resource domain. A child domain known as RBS. KPLCSTIMA result be created from the overlord domain and lead have trust kindred with it. This is impart give us to a hugeer extent control of our systems and semi-autonomy from the KPLC systems. It will be installed with Windows Server 2003 standard edition operating system which will provide the following services at RBS 1.File and Print sharing. 2. Microsoft Exchange go host the resident Staff members ma ilboxes and enable efficient sending and receiving of internal/Internet mail and if need be provide also remembering of the mailboxes. 3. Anti-virus Software. 4. Systems Management Server for Network management. 5. Internet Browsing. 6. To chuck up the sponge for faster downloads of the application updates. 7. To enable the efficient installation and periodic updates of the PC anti-virus in the local anaesthetic area network. 8. For faster and seamless primary winding feather logon of node PCs to the network.Our application i. e. RBS system is already running in a stand alone server and will continue that way to get a line system stability and integrity. The new system will also run on its own stand alone server for the equivalent reason. The primary domain controller (PDC) tracks changes made to domain accounts. Whenever an administrator makes a change to a domain account, the change is recorded in the directory database on the PDC. The PDC is the only domain server that p lays these changes directly. A domain has one PDC. A complement domain controller (BDC) maintains a copy of the directory database. This copy is synchronized sporadically and automatically with the PDC. BDCs also authenticate user logons, and a BDC living be promoted to function as the PDC. Multiple BDCs basis exist in a domain. Client PCs Currently there are four PCs and two laptops in the secretariat all running Windows XP as the desktop operating system and networked using Windows NT operating system of the KPLC master domain. individually PCs have MS Office 2003 2007 as an office desktop application.The PCs have in the midst of 256 and 512 MB RAM. either the PCs are running on Microsoft TCP/IP protocol and use USER LEVEL access on the network. Microsoft Exchange Server Microsoft Exchange Server is used for electronic messaging in and out of the judicature. Exchange is organised into entities called sites each consisting of one or to a greater extent servers containin g mailboxes and public folders. Mailboxes are where a users messages are unplowed, each user having a single mailbox whereas public folders are like notice boards, containing information that is shared between dual users.Intra-site communication has to occur at high speed and with high reliability. Inter-site communication support occur at lower speeds. In increment to local messaging, there is Internet messaging, implemented via the delegate Server. Anti-Virus Software McAfees constitutional Virus Defence Software is the current comp both(prenominal) guard against viruses. The software is loaded on all the Exchange server protects against viruses distributed. A group of computers and the server that manages them is called an Anti-virus Domain. The anti virus server downloads new version automatically from McAfee Website on the Internet.Once the new software version is downloaded, the system administrator configures it for distribution. It also alerts the system administrato r to pull the latest versions to the Anti-virus Server. Internet Microsoft Proxy Server provides an easy, secure way to bring Internet access to all desktop in an organisation. The proxy server is a door between the companys network and the Internet. A gateway is special software, or a computer running special software, that enables two different networks to communicate.The gateway acts as a barrier that allows you to make requests to the Internet and receive information, but does not allow access to your network by unauthorised users. pic 1. 0 PROCUREMENT OF HARDWARE, PERIPHERALS & OTHER EQUIPMENT 1. 1 Purchasing and Installing Hardware This Chapter deals with the Information Technology and Security issues relating to the purchase, use or nourishment of equipment through which information is processed and stored. 1. 1. 0 Procurement of Hardware, Peripherals and Other Equipment Policy controversy each purchases of new systems hardware or new components for existing systems mold iness(prenominal) be made in accordance with Information Security and some other organisation Policies, as salubrious as technical standards. Such requests to purchase mustiness(prenominal) be establish upon a wasting diseaser Requirements Specification document and throw account of long-run-term organisational business needs. The purchase and installation of hardware requires those involved to look carefully the Information Security issues involved in this process. This section covers the chance upon areas to be considered. . 1. 1 Specifying Information Security Requirements for New Hardware The purchase of new computers and peripherals requires careful consideration of the business needs because it is usually expensive to make subsequent changes. ICT Issues to consider action indispensable The system must have adequate capacity or else it whitethorn not be Estimate the current and potential load on the system. able to process your data. For critical applications c onstrue that the system is renonresistant and of high quality. Select a supplier with a be track record, who is in all likelihood to be in business for the life of the hardware. Data must be adequately protect otherwise there is a risk Determine the typeface of unspoiledguards necessary for the information of loss or accidental / catty prostitute. concerned and check off that the hardware is capable of supporting the require features, e. g. the type of operating system and attached devices. bump into classifying information and data Where hardware sustenance is silly or unreliable, you greatlyChoose a supplier with a stand upn track record, who is likely to be increase the risk to the organisation, because, in the font in business for the life of the hardware. of unsuccessful person, processing could simply STOP. Enter into a maintenance contract at the time of purchase with a suitable response time in the slip of a failure. con service level agreement The system must be fittedly resilient to avoid Determine your organisations tolerance to system non-availability unplanned down-time, which place have an immediate negative ( molybdenums, minutes, hours or days? , and approach the design of your impact on your organisation hardware course harmonisely. Consider the use of mirrored dish aerials to guard against disk failures duplicate mainframe computers in case of processor failure duplicate configurations and the use of an Uninterrupted Power Supply (UPS) and standby generators. 1. 1. 2 Installing New Hardware Installation of new equipment must be properly considered and planned to avoid unnecessary disruption and to ensure that the ICT Policy issues are adequately covered. (See premise for further detail. ) Policy rumor All new hardware installations are to be planned formally and notified to all interested parties ahead of the proposed installation date. Information Technology and Security require ments for new installations are to be circulated for comment to all interested parties, well in advance of installation. ICT Issues to consider Action Required The equipment must be located in a suitable environment otherwise hold to the specifications and recommendations of the it may fail. manufacturer or supplier, e. g. for operational temperature, humidity etceteratera suitable safeguards against lift, water and electrical failure should be in place. See Premises Any disclosure of your network diagrams, security features, batten that all persons on site, whether from your own locations and configurations etc. exposes potential organisation or not, have accomplished a Non-Disclosure contract vulnerabilities, which could be exploited. Although a Non Disclosure organisation paves the way for profound redress, it cannot protect you against actual commercial damage. Leaving tools, utilities and developers kits on your new system All new systems should be co nfigured for maximum operable endangers the confidentiality and integrity of your data security by the removal of unnecessary utilities, developers programs, etc. a technique known as hardening. Without an installation plan for the new equipment, disruption to stop that all special pre-installation requirements (e. g. air operational systems is more likely. conditioning) have been met. Identify the precise location for the equipment and ensure that the mogul and network cables are ready. Agree a slender installation plan with the vendor. inhabit what might go wrong and consider how to minimise the risks. Where the installation plan does not include safeguards against Agree a detailed installation plan and document it. See Project the (inevitable) increase security threat resulting from Plan (relatively) open access to the systems area, accidental or Monitor progress against the plan. malicious damage can result. Only allow authorised persons access to the systems area. To protect all parties never allow engineers to work unattended. Breaches of Health and Safety regulations endanger the well be vouch Health and Safety regulations are followed when locating of your mental faculty and your organisations commercial activities. the equipment, peripherals and cables. A periodic visual follow-up is beneficial also. 1. 1. 3 Testing Newly Installed Systems and Equipment Hardware should be time-tested when new to verify it is workings correctly, and then further tests applied periodically to ensure continued effective functioning. Policy StatementAll equipment must be fully and comprehensively tested and formally accepted by users ahead being transferred to the live environment or user sites. ICT Issues to consider Action Required Where new equipment is not tested for critical functions before take care that all new installations are thoroughly tested after being used, it can lead to failure and hence damage to both dat a initial set-up and prior to live use. and other linked systems. All such tests should be in accordance with a documented test plan. misfortunate examination can threaten the integrity and availability of fit in the test outputs to confirm the results. look that your data. all-key components, e. g. hard disk subsystems are include in the tests. Devices that are known to degrade with time, e. g. printers, should be tested periodically Where testing is performed in a manner that does not simulate Ensure that the test plan simulates realistic work patterns live conditions, the results of such testing cannot be relied upon. Poor security procedures during equipment testing can compromise Ensure that Non Disclosure Agreement have been obtained from all the confidentiality of your data. third party faculty involved in testing the equipment. Verify that the required security configuration and safeguards have been implemented for the new hardware. If live da ta is used in the testing process for the new hardware, ensure that it is closely controlled.See intent of Live Data for Testing Explanatory notes NT servers The analysis of user requirements (client base and mail size of its expected) versus the various benchmarks test results will establish the best choice of server to be purchased. For file and print server only disk space is a key requirement. IT & T Issues Key Actions processor advance Dual CPU, redundant system components in many aspects platter & Disk space Enough transshipment center to cater for expected growth of mail database for the next fiscal year Redundant and RAID-5 capable SPEC INT2000 Compares CPU speeds for various servers. SPEC CPU2000 To establish best processors and server feats. (http//www. specbench. org/) To establish best server as per RBS requirements. Do adjudicate analysis based on databases expected or consult database product vendor on system demands. TPC-C ben chmark The TPC-C benchmark measures the ability of a server to process legal proceeding in a simulated business environment, calculating both the See guidelines at http//www. tpc. org/ for execution of instrument of the System Under Test and real institution scenario. transactions per server Mail servers should handle 1500 mail user dealings simultaneously in a normal business environment. Mail servers should be capable of storing all mails processed in a normal working day. Routers ICT Issues Key Actions Router basics Dual CPU, all redundant system components installed at time of purchase in many aspects IOS, RAM and ROM modish Cisco IOS e. g. ver 12. X. , 128 MB RAM and suitable flash memory to store all features of IOS. VPN and 3-DES features enabled IOS compatibility New routers should Cisco compatible to integrate seamlessly with existing IOS and equipment. form of WAN ports Decide by local needs e. g. Hub-routers should be prefer for grim LANs riding habitr Management Manageable by local or by remote interface, RMON, SNMP or network user interfaces. Hubs and Switches dot Action Hardware basics Dual CPU, all redundant system components installed at time of purchase in many aspects IOS, RAM and ROM in style(p) Cisco IOS e. g. ver 12. X, VLAN and work grouping, bridging possible. IOS compatibility Cisco compatible to integrate seamlessly with existing IOS and equipment. Protocols Ethernet enabled L Number of LAN ports Decide by local needs e. g. Hub-routers should be preferred for small LANs User Management Manageable by local or by remote interface, RMON, SNMP or html enabled network user interface. Modems Item Action required Software Compatible Supports HyperTerminal for Windows Should be configurable using AT commands V90 Modems should be V90 standard and downward compatible with existing V54 & V42 types, etc. 2 & 4 fit out Supports two wire dialup and 4 wire leased analogue line use. Data lockers Equipment cabinets should be properly chosen. The current 6U cabinet is too small for any future expansion or even good workmanship to be carried out. Vendors should provide cabinet of size equal or larger than 12U cabinet. Item Action Sufficient space for equipment The cabinet should house all the equipment and accessories at the installation See http//www. datacabinets. om/ time, disappear room for future expansion and provide desolate space for proper ventilation Aesthetically chosen for office environment The cabinet aesthetically coloured to match with general looks in the vicinity free standing(a) or wall mounted and should be equipped with sufficient office blocks. Proper ventilation and humidity The cabinet must have sufficient cooling fans.The fans in these cabinets shall be designed to give minimum psychological disorder level expected in a normal office environment and must be designed to keep the humidity level low. inte ntional for equipment therein The cabinets will be used to house all the spry equipment and society accessories such patch panels, Light Unit Interfaces (LIU). Be lockable and be equipped with some trays. LIUs, cord organisers, cable straps etc. Grounding and ESD All cabinet shall be electrically grounded to ensure electric noise and inactive discharge is minimised. Server Room The following items are useful in a server room construction. Item Action Backup cut Installation of a central UPS to back up for at to the lowest degree 30 minutes after an outage. Conditioned power supply Installation of spike protectors is necessary to ensure well regulated supply free of surges and dips. Neat and extensive cable trays Construction of a technical (false) write up and technical roof (false ceiling) to house all types of cabling and utilities such as eruption hydrants, smoke detectors, etc No electrostatic discharge (ESD) in computer revolve around an d Proper grounding and use of anti-static PVC covers on floor. Each tile must be equipment grounded well. Maintain ambient temperature Installation of a two way redundant air conditioning system. Maintain 16 ? C via room wall. Guard against fires and similar hazards Installation of an automatic fire-fighting system Use effective extinguishers that are less hazardous to Use most sloughy system e. g. Inergen human health. See www. inergen. com/ Classify room usage naval division of the computer room Proper lighting Supply and installation of spurious Ceiling Protection against harmful effects of fire hydrants Supply of bluster Masks 1. 2Cabling, UPS, Printers and Modems CablingFor best of cabling the following international standards should be incorporated when carrying verbalise/data-cabling works. Item Action Scope Systems Administrator to access scope of requirements. tendency of cabling make and premises consideration According to ANSI/EIA/TIA 568B & 569 st andards See www. ansi. org, www. eia. org & http//www. tiaonline. rg Implementation and workmanship of cabling works and testing According to ANSI/EIA/TIA 606 & 607 standards of installing and maintaining data/voice cabling plant. Network Active devices Different vendors have preferred methods of rolling out active devices try this method Develop high-level process lead diagram for deploying new origins solution hardware requirements solution management platforms solution validation by pilot project full solution deployment document all related information for management, maintenance and future extensions UPSThe following formulas are useful in determining choice of UPS. The UPS are rated in toll of steady power out put and backup time. Steady power rate is condition in watts= W Backup time is given in Hours or Ampere-hour of the batteries. = Ah Backup capacity in terms of Ampere-Hour is Ah = (Watt x time) and or is computed to be Ah =3. 6 Mega joules. Power x Time = goose egg (joules) Translates to Time =Ah/power E. g. StimaEIS is 7. 2-kVA load. To backup for half an hour it requires (7200 x 30 x 60 x 60)/3. 6 x106 = 216 Ah Given that each small battery is 12V with 9 Ah each then the UPS will have 24 small batteries. Similarly for rest of the computers same formula can be used. 1. 3Consumables IntroductionICT consumables are expensive and should be properly controlled both from an expense perspective as well as an Information Security perspective. This section deals with the Information Security aspects of IT consumables. 1. 3. 1 Controlling IT Consumables Policy Statement IT Consumables must be purchased in accordance with the organisations approved buy procedures with usage monitored to discourage theft and improper use. They must be unplowed in a well-designated store away from working area. Explanatory Notes Examples of consumables are printer forms, stationery, printer paper, toner & ink, ribbons, disks, diskettes, bar-cod e labels and other accessories. Item Key Actions Pilfering of your consumables results in increased organisationalSafeguard Consumables against petty theft by locking cupboards, expense. maintaining a register, create verbally bureau prior to removal of items etc. Keys to be unploughed by the supervisors office. Consumables may be stolen with the intent to defraud your organise special measures to protect potentially semiprecious pre-printed organisation or customers. forms and account for their usage. Store area should be a limit area, use gate-passes and authorisation. Confidential data may be revealed to unauthorised persons from Ensure that confidential information cannot be identified from discarded Consumables e. g. discarded draft printer output and discarded Consumables, such as printer ribbons and floppy disks, test data printer output. by destroying them. Destroy or shred surplus printout / fiche containing data, whether or not the data appears to be confidential it may be See also Classifying Information and Data. 1. 3. Using removable shop media including Diskettes and CDs Policy Statement Only personnel who are authorised to install or spay software, and cater who are authorised to transfer and update data shall use removable media to transfer data to / from the organisations network. Any other persons shall require specific authorisation. Explanatory Notes When using removable computer retention media, there are supernumerary ICT Security risks associated with the portability of the media. Personnel authorised to install & modify software is the system administrator. Personnel authorised to transfer and update data shall be determined by the general manager and systems administrator. ICT Issues Key Actions deviation or disappearance of disks, tapes, etc. can Ensure that all media are stored safely and securely. compromise the confidentiality of the organisations Make sure that all media are labelled clearly, whether physically and/or data. electronically, and that they can be located tardily when needed. Designate key individuals to monitor the storage and use of removable media. malign to media compromises the integrity of your Follow the manufacturers recommendations when handling the media. corporate records. Take protective measures against environmental extremes of temperature, humidity, dust, etc. , grant to the importance and sensitivity of the data. Consider carefully the safeguards required for any media being moved or stored off-site curiously backup tapes / disks. In the case of irreplaceable data, you should consider taking security copies, each of which must be properly safeguarded. Consider using fire-resistant storage cabinets for such media. 1. 4Working off premises or using out-sourced processing Working Off-Premises involves a broad range of Information Security risks. In addition to the obvious threat of theft of the equipment there a re also probative risks to the information contained on portable equipment. It is necessary to use business centres with great care as confidential information or data can be input onto equipment that is not under your control. 1. 4. 1 Contracting or using Out-sourced Processing The following issues should be considered if the organisation decides to utsource some or all of its computer processing. Policy Statement Persons responsible for commissioning out-sourced computer processing must ensure that the services used are from time-honored companies that operate with accredited information security and quality standards which should include an appropriate Service Level Agreement. ICT Issues to consider Action Required Inadequate performance can threaten your organisations Determine the critical success factors for your organisation in terms of information processing and business operations. speed, reliability, response and ability to outgo rapidly (if necessary). Document these factors in a Service Level Agreement with penalty clauses for breaches. Poor reliability threatens the performance of your Consider your organisations tolerance to system non-availability in business. siemenss, minutes, hours or days? Ensure that the service provider can meet these needs. Document these factors in a Service Level Agreement with penalty clauses for breaches. Lack of direct control when outsourcing can compromise imputable diligence should be exercised to ensure that the outsourcing company data confidentiality. is reputable and operates with adequate standards. Obtain a Non Disclosure Agreement from the outsourcing company. Insist on secure transmission methods between your organisation and theirs, e. g. authenticated transmission with encrypted data. 1. 4. 2 number Laptop / Portable Computers to PersonnelLaptops, Portables, Palmtops -or even electronic organisers, which connect to and store your organisations data are included within th is topic. end-to-end this topic we refer to them collectively as laptops Policy Statement margin management must authorise the issue of portable computers. Usage is restricted to business purposes, and users must be conscious(predicate) of, and accept the terms and conditions of use, especially responsibility for the security of information held on such devices ICT Issues Action Required Confidential data disclosed to unauthorised persons can Be authoritative that the member of staff has a valid business reason for damage the organisation. using a laptop.Maintain and update the Hardware memorial with the primary users name and contact details Ensure that you are always able to trace the physical location of the laptop and that the type and sensitivity of any stored data is known and properly secure. Always use any power-on tidings feature as a simple deterrent to opportunistic usage. Ensure the confidentiality and security of backup files. The use of unli censed software can subject your All software used on the laptop must be licensed and comply with both organisation to legal action legal and organisational standards. Viruses, Worms, Trojans and other Malicious Code can Scan the laptop for malicious code and viruses regularly. corrupt both data and the system files. Always stare files before accepting them onto the laptop Theft of the laptop exposes the organisation to the threatEnsure that the pallbearer implements adequate safety procedures against of disclosure of keen corporate data to competitors. theft. Consider the use of securing wires or other security devices in open offices. Ensure that the Hardware Inventory contains relevant allocation details of all computers. Insure the laptop against loss, theft and damage. Be aware of any exclusion in cover. Prepare guidelines for way out portable computing equipment. Inadequate backup and recovery routines can lead to the Ensure that laptop computers can have their data safeguarded through loss of data. regular backups. Ensure that the primary user of the equipment recognises their responsibilities in this regard. Guidelines for Issuing Portable Computing Equipment Those responsible for matter portable computer equipment must ensure that the following is complied with before issuing such equipment to employees. Ensure that adequate insurance cover is provided for the portable equipment for use in the home country and abroad. Ensure that suitable virus examine software is present on the equipment. Supply suitable network connections and ensure that access procedures are applied if the equipment is to be connected to a network. Ensure that adequate capacity (hard disk and memory size) is available on the equipment to support business processing. Ensure that adequate backup and restore facilities and procedures are in place. Ensure that compatible versions of application software are in place. Ensure that software encr yption and/or physical locking devices are in place. Ensure that adequate records of the equipment are maintained, and that the issue is authorised and receipted. Ensure that authorisation for use of portable computing equipment is received Ensure that the Terms of Use are issued and signed. 1. 5Using Secure Storage Introduction It is essential that valuable confidential or critical information or equipment is stored in a secure location. This section covers secure storage. Policy Statement Sensitive or valuable material and equipment must be stored securely and according to the classification lieu of the information being stored. Documents are to be stored in a secure manner in accordance with their classification status. 1. 5. 1 Using lockable storage cupboards & filing cabinets A lockable storage cupboard should be considered for storing responsive or valuable equipment.A lockable filing cabinet should be considered for secure storage of paper-based files and records, or smal l but movable items. ICT Issues Key Actions Unsecured organisation sensitive material may be Ensure that all sensitive material is secured in a lockable storage stolen from the department. cupboard, cabinet or safe when not required. The more sensitive the material, the more care must be taken in selecting the appropriate storage method. Ensure you are aware of who is an authorised key pallbearer to any such storage cupboard, cabinet or safe. Ensure that a second key is available with a trusted key holder via a dual control issues process in case the key holder is unavailable or the item is required in an emergency. Securely locked organisation sensitive material may beEnsure that highly sensitive material including computer discs and tapes stolen or damaged whilst in store. are stored in a fire rated storage cupboard, cabinet, or safe.Beware that the cabinet itself may survive the fire but the items inside may be damaged irreparably. Ensure that all sensitive material is secured in a lockable storage cupboard, cabinet, or safe when not required. Use a storage unit, which matches the sensitivity of the material. The more sensitive the material, the more care must be taken in selecting the appropriate storage method. Ensure you are aware of who is an authorised key holder to any such storage cupboard, cabinet or safe. Ensure that a second key is available with a trusted key holder via a dual control issues process in case the key holder is unavailable or the item is required in an emergency. 1. 5. 2 Using Fire-Protected Storage Cabinets & Safes A fire protected storage cabinet is a good way to protect sensitive material against the risk of being destroyed by fire and possible water damage from fire fighting activities. The use of safes for storage is to be encouraged.The security of the safe itself is just as critical. Policy Statement Items such as backup-tapes, microfiche, microfilm, archives, recovery diskettes, passwor ds, CDs for software installation shall be considered sensitive and valuable to the organisation and must be stored in fire-protected storage cabinets & safes. IT & T Issues Key Actions Sensitive data stored in fire-protected cabinets can Ensure that all sensitive material is secured in a Fire protected nevertheless be damaged beyond use. callable to their possible cabinets & safe when not required.Yearly & Monthly system & database additional weight, siting is a key consideration backups should be kept away from the build Ensure you are aware of who is an authorised key holder to any such storage cupboard, cabinet or safe. Ensure that a second key is available with a trusted key holder via a data control issues process in case the key holder is unavailable or the item is required in an emergency. Sensitive data may be lost if stolen or during transit. Copies of archives should be kept separate from actual database backups. A physical log file to control backup dat a movement to various safe locations to be kept up-to-date both with signature of security personnel and person woful the backups. Data Library to be up-to-date with details of backup date, type, location, type & expiry date 1. 6Documenting Hardware Introduction This section deals with hardware credential and manuals, and also hardware inventory. It is essential that hardware funding is kept up to date and made available to all users as appropriate. 1. . 1Managing and Using Hardware Documentation Documentation refers to both the operator manuals and the technical documentation that should be provided by the supplier / vendor. Policy Statement Hardware documentation must be kept up-to-date and readily available to the all staff that may need it. ICT Issues Key Actions If equipment is operated incorrectly mistakes and Ensure you receive all operational and technical manuals for each piece damage may result. of equipment. Store the documentation accessibly but safely. S ystems users must be trained according to the suppliers manuals A failure to follow the recommended schedule of Ensure all regular maintenance is carried out and monitored. maintenance runs the risk of system malfunction, which Adopt procedures which ensure that your operators complete all could possibly jeopardise your business operation. maintenance for which they are responsible according to the manufacturers recommendation Failure to operate equipment in accordance with the Ensure you receive all operational and technical manuals for each piece instructions can invalidate the guaranty. of equipment. Ensure that such manuals are readily available and form the basis of all training. Failure to complete and return the manufacturers Complete the stock-purchase warrant card in time and record the details in your warranty card may invalidate the warranty and hence Hardware Inventory Register. limit the manufacturers liability 1. 6. 2 Maintaining a Hardware Inventory or Register Introduction A register / database of all computer equipment used within your organisation is to be established and maintained. Policy Statement A formal inventory of all equipment should be maintained and kept up to date at all times. ICT Issues Key Actions Theft of equipment is most likely to result in additional Establish inventory and implement procedures for update it. cost to the organisation and could compromise data security. Ensure that you have a procedure to advise the acquirement of new hardware, the disposal of old items and any changes of location. Periodically verify the correctness of the inventory by checking that a sample of hardware is physically present. Inadequate insurance could render your organisation liable Establish inventory and implement procedures for keeping it to loss in the event of a claimable event. up-to-date. Ensure that you periodically review the adequacy of your insurance cover. Shortcomings in the planning of equipme nt switch can Establish an inventory and, in abidance with your IT Plan, ear make it difficult to plan ahead for new technology. mark equipment for replacement and plan accordingly. 1. 7 Telecommunications equipment (Procurement, maintenance, practices and design telecommunications) Procurement of telecommunications system Manufacturer maintenance (internal & external) Design criteria of systems direction & Decommissioning of systems Fibre optic systems Introduction This chapter deals with the Information Communication Technology issues relating to the purchase, use, maintenance and the design of equipment through which information is processed and transmitted. The systems covered include, Telephony (PAX and PABX) Data Networks Fibre Network 1. 7. 1 System Design ( Engineering) Policy statement ICT system engineering will be based on tested and proven state of the art technology for a given ICT system. Explanatory notesThe systems administrator shall from time to time update her/himself with new international standards for ICT systems. She/he shall be required to come up with plastic systems that will meet the company needs at the best. ICT Issues Actions Technology System engineering shall be based on the latest technology in the required field such as Telephony. Companys needs (Application) The design shall address the company needs and applications for at least the next ten years. tractability The system design shall address the equipment flexibility and upgrade. Redundancy The design will state the expected loading and redundancy of the equipment 1. 7. 2 Procurement Policy Statement In addition to the public and company procurement procedures, the ICT departments will specify in details the operating(a) and capacity requirements of system before any purchase is done. Explanatory notes Before any system acquisition is done, the system administrator will be required to have evaluated the companys needs.This will include system performanc e reliability ultimate capacity and staff abilities included proposed training requirements. This will be in the form of prayer for Proposal (RFP) documents. IC T Issues Actions Tender document Shall have detailed system/equipment description of the performance, reliability and capacity of hardware. The system life forethought shall be required Spares and Support The system spares will be stated.The system support and staff training clearly be addressed definitive dealership/partnership The vendor shall be required to state and prove the partnerships with the manufacturer Tendering The type of bidders to be invited shall be stated 1. 7. 3 Commissioning/ Decommissioning Policy Statement System commissioning will be carried out as stipulated in the manufactures testing/commissioning sheets for any new ICT equipment. Tests should nclude all the RFP system requirements. System commissioning is necessary to ascertain system performance all the designed parameters will be tested. After the commissioning the system passwords should be immediately changed as a security measure, to protect any data manipulation or corruption from the vendor. ICT Issues Actions Performance All tests as per system design and manufacturers specification/performance shall be carried out. Drawings All system drawings shall be submitted ( at least three copies)and kept in safe custody Equipment Cabinet keys The equipment cabinet keys shall be handed over to the functional head Decommissioning System decommissioning shall be carried out once the equipment is no longer in use. Commissioning sheets and drawings shall be used to determine the current connection (Circuit termination) of the system. The decommissioned equipment shall be removed from the Telecom room and all wires/cables not used shall be removed. The drawings for decommissioned systems/equipment shall be retired. 1. 7. 4 Maintenance Practices Policy Statement All ICT systems shall be maintain ed regularly as per manufactures recommendations. Where system are set in harsh environments, system maintenance will be carried out as deemed by the systems administrator. Explanatory notes All system maintenance should be done in house as much as possible. Outsourcing of maintenance (Annual Maintenance Contracts, AMCs) contrac