Information Security Policies are the cornerstone of information security effectiveness. The Security Policy is intended to define what is expected from an organization with respect to security of Information Systems. The overall objective is to control or guide human behavior in an attempt to reduce the risk to information assets by accidental or deliberate actions. Information security policies underpin the security and well being of information resources. They are the foundation, the bottom line, of information security within an organization. We all practice elements of data security. At home, for example, we make sure that deeds and insurance documents are kept safely so that they are available when we need them. All office information deserves to be treated in the same way. In an office, having the right information at the right time can make the difference between success and failure. Data Security will help the user to control and secure information from inadvertent or malicious changes and deletions or unauthorized disclosure. There are three aspects of data security:
Confidentiality: Protecting information from unauthorized disclosure like to the press, or through improper disposal techniques, or those who are not entitled to have the same.
Integrity: Protecting information from unauthorized modification, and ensuring that information, such as a beneficiary list, can be relied upon and is accurate and complete.
Availability: Ensuring information is available when it is required.
“The network must be designed and configured to deliver high performance and reliability to meet the needs of the operations whilst providing a high degree of access controls and range of privilege restrictions.”
The configuration of network impacts directly on its performance and affects its stability and information security. Information security issues to be considered, when implementing the policy, include the following:
“Suitably qualified staff are to manage the organization’s network, and preserve its integrity in collaboration with the nominated individual system owners.”
All but the smallest networks, where changes are relatively infrequent, require ongoing management. Information security issues to be considered, when implementing the policy, include the following:
All the networks of OGS Paylab should be protected from Internet threats using a firewall except monitoring systems that have to be at the perimeter.
There should be adequate logging on the firewall to track and monitor the connections going through the firewall.
All the network connectivity of OGS PAYLAB partners or customers should be directed through a Firewall after appropriate approvals from the Chief Product Officer (CPO). Access should be granted only from specific hosts either through IPSEC VPN or whitelisting of IP’s. Access should be granted to specific hosts on the OGS PAYLAB Technology Network only. Access should be controlled at the Firewall. It is mandatory for the Customer or Partner to connect using a static Public IP only.
Users should be allowed only to traverse outside networks and Internet through specified gateways. Enforced paths should be implemented in terms of default gateways for segregated networks and channeling the flow of data through monitored points.
Guidelines for employees to ensure a clean virus free system and to prevent spreading of virus/worms are:
Back-up copies of essential business data and software should be taken regularly. Adequate back-up facilities should be provided to ensure that all essential business data and software could be recovered following a computer disaster or media failure. Backup arrangements for individual systems should meet the requirements of business continuity plans.
Backups should be taken monthly, and one external hard drive should be stored locally and the other in a remote location.
It should be ensured by IT department that the media is regularly examined for readability of the data. The backup media should be replaced immediately after encountering the error or at predefined time intervals whichever is earlier. The backup media should be appropriately labeled and numbered. Backup media should be controlled and physically protected. Appropriate operating procedures should be established to protect tapes, disks, data cassettes, input/output data and system documentation from damage, theft, unauthorized access and virus attacks as appropriate.
Data on workstations and notebooks should be backed up on the network drive.
On-site data backup should be maintained in safe custody and in a fireproof cabinet. The key to the cabinet should be available only with personnel designated by the Chief Product Officer (CPO) and the duplicate should be kept with the CPO for emergency use.
Off-site data backup should be maintained at a location identified as ‘off-site’ in the ‘Business Continuity Plan’ (BCP). Whenever, the backup media is moved to and from offsite location, it should be carried in sealed and tamper-proof envelope or pouch.
A normal user of the data should be provided access on need-to-know basis. Based on the hierarchy in the management, discretionary access to application systems and data should be applied through configuration of user and group file-access rights. Strict controls should be placed on application system source code, compilers, computer operating software and scripting facilities to ensure that the system's access control mechanisms cannot be bypassed through code subversion.
Users should also be briefed on application and operating system access control functions on a need-to-know basis. Menu systems may also be used to control access to application and system functions rather than allowing users access to a command prompt interface.
Operating system access controls must be employed for all systems connected to external networks. Where possible, access restrictions are to be based on user groups/domains with individual user IDs assigned to the groups as required. User authentication is based on Active Directory domain passwords.
Server room will be locked, and designated personnel access will be provided from time to time as approved by the CPO. The office floor will be locked, and only restricted number of people will have keys to open the office for the employees.