Networking
Information Security Policy
Best Practice Document
Produced by UNINETT led working group on security (No UFS126) Authors: Kenneth Høstland, Per Arne Enstad, Øyvind Eilertsen, Gunnar Bøe October 2010
© Original version UNINETT 2010. Document No: Version / date: Original language : Original title: Original version / date: Contact:
© English translation TERENA 2010.
All rights reserved.
GN3-NA3-T4-UFS126 October 2010 Norwegian “UFS126: Informasjonsikkerhetspolicy” July 2010 campus@uninett.no
UNINETT bears responsibility for the content of this document. The work has been carried out by a UNINETT led working group on security as part of a joint-venture project within the HE sector in Norway.
Parts of the report may be freely copied, unaltered, provided that the original source is acknowledged and copyright preserved. The translation of this report has received funding from the European Community 's Seventh Framework Programme (FP7/2007-2013) under grant agreement n° 238875, rel ating to the project 'Multi-Gigabit European Research and Education Network and Associated Services (GN3) '.
2
Table of Contents
EXECUTIVE SUMMARY INTRODUCTION 1
1.1 1.2
4 5 6
6 6
INFORMATION SECURITY POLICY
Security goals Security strategy
2 3
3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12
ROLES AND AREAS OF RESPONSIBILITY PRINCIPLES FOR INFORMATION SECURITY AT
Risk management Information security policy Security organization Classification and control of assets Information security in connection with users of 's services Information security regarding physical conditions IT communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management Continuity planning Compliance
8 10
10 11 11 12 13 14 17 21 22 23 24 25
4
4.1 4.2
GOVERNING DOCUMENTS FOR SAFETY WORK
Purpose of governing documents Document structure
27
27 27
REFERENCES
Best Practice Document
Produced by UNINETT led working group on security (No UFS126) Authors: Kenneth Høstland, Per Arne Enstad, Øyvind Eilertsen, Gunnar Bøe October 2010
© Original version UNINETT 2010. Document No: Version / date: Original language : Original title: Original version / date: Contact:
© English translation TERENA 2010.
All rights reserved.
GN3-NA3-T4-UFS126 October 2010 Norwegian “UFS126: Informasjonsikkerhetspolicy” July 2010 campus@uninett.no
UNINETT bears responsibility for the content of this document. The work has been carried out by a UNINETT led working group on security as part of a joint-venture project within the HE sector in Norway.
Parts of the report may be freely copied, unaltered, provided that the original source is acknowledged and copyright preserved. The translation of this report has received funding from the European Community 's Seventh Framework Programme (FP7/2007-2013) under grant agreement n° 238875, rel ating to the project 'Multi-Gigabit European Research and Education Network and Associated Services (GN3) '.
2
Table of Contents
EXECUTIVE SUMMARY INTRODUCTION 1
1.1 1.2
4 5 6
6 6
INFORMATION SECURITY POLICY
Security goals Security strategy
2 3
3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12
ROLES AND AREAS OF RESPONSIBILITY PRINCIPLES FOR INFORMATION SECURITY AT
Risk management Information security policy Security organization Classification and control of assets Information security in connection with users of 's services Information security regarding physical conditions IT communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management Continuity planning Compliance
8 10
10 11 11 12 13 14 17 21 22 23 24 25
4
4.1 4.2
GOVERNING DOCUMENTS FOR SAFETY WORK
Purpose of governing documents Document structure
27
27 27
REFERENCES
References: Internal references Version Date Comment IT regulations at Strategy plan at < X University > Quality assurance system at < X University > IT strategy at < X University > Risk assessments Personnel policy Guidelines for the disposal of IT equipment Confidentiality agreement Role description CSO Responsible Other relevant IT related documents External references [ISO27001 ] ISO 27001: 2005. Information security – Security techniques – Information security management systems – Requirements. [ISO27002 ] [ISO27005] [OECD] [BPD107] [BPD108] ISO/IEC 27002: 2005 Information security – Security techniques – Code of practice for information security management . ISO/IEC 27005: 2008 Information security – Security techniques – Information security risk management . OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security. http://www.oecd.org/dataoecd/16/5/15584616.pdf Power Supply Requirements for ICT Rooms. Best Practice Document. http://www.terena.org/activities/campus-bp/pdf/gn3-na3-t4-ufs107.pdf Ventilation and Cooling Requirements for ICT Rooms. Best Practice Document. http://www.terena.org/activities/campus-bp/pdf/gn3-na3-t4-ufs108.pdf 28 More Best Practice Documents are available at www.terena.org/campus-bp/ campus-bp-announcements@terena.org