Why do we need it? What is the purpose? The rise of remote work has increased new threats due to the growth of the potential for compromised devices to be connected to corporate networks. Cyber security policy outlines our guidelines and provisions for preserving the security of our data and technology infrastructure. The more we rely on technology to collect, store and manage information, the more vulnerable we become to severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardise our company’s reputation. Users must follow the policy to ensure the confidentiality, integrity, and availability of data and resources to our IT security program and report anything suspicious. Lab needs to know about scams, breaches and malware so we can better protect our infrastructure.
What is Malware? Malware, or malicious software, is any program or file that is intentionally harmful to a computer, network or server. Types of malware include computer viruses, worms, Trojan horses, ransomware and spyware.
What is Ransomware? Ransomware is a malware designed to deny a user or organisation access files or their computer. By encrypting these files and demanding a ransom payment of the decryption key, cyber attackers place organisations in a position where paying the ransom is the easiest and cheapest way to regain access to their files.
SECURITY POLICY
Information security policy To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations
Users Can 1.Able to store data and files relevant to their jobs in a specific location on the data server. 2.Permitted to share files and data between departments solely for purposes linked to work Users Can't 1.Users are prohibited from copying files or data to the desktop, Mac, or iPad, and they are not allowed to install any applications on the machine. Lab administrators will promptly remove users engaging in such behaviour, and a warning letter may have been sent. 2.Users must not leave their password and user ID anywhere close to the computer, on the table, or on the iPad. It is essential for users to keep this information secure to prevent unauthorised access. 3.It is against the policy for users to use social media, gamble, play online games, or browse pornographic websites. If users are found violating these rules, appropriate action, such as sending a warning letter, may be taken. Lab Can 1.Create and share the rules about keeping information safe in a way that follows the needs of the business and the laws. Lab Can't 1. Fail to provide support for the implementation of the information security policy.
ORGANISATION OF INFORMATION SECURITY
Internal organisation To manage information security within the organisation. I.Facilitates data integrity, availability, and confidentiality Information security policies that are effective in their nature standardise procedures and guidelines that guard against threats to confidentiality, availability, and integrity of data. II. Protects sensitive data Information security policies prioritise the protection of intellectual property and sensitive data such as Personally Identifiable Information (PII). External parties To maintain the security of the organisation’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.
Users Can 1.While providing their USB drives, CDs, or DVDs for software installation, third parties, merchants, providers must first run an antivirus scan. Users Can't 1. Asked to have any hardware or systems installed on business property by suppliers, vendors, and other third parties. Lab Can 1. IT administrators are in charge of implementing and ensuring compliance with rules to keep information secure. The responsibility includes ensuring that data is accurate, available, and kept private. Lab Can't 1. IT administrators are prohibited from sharing sensitive organisational information unless they have the appropriate authorisation.
ASSET MANAGEMENT
Responsibility for assets To achieve and maintain appropriate protection of organisational assets.
Information classification To ensure that information receives an appropriate level of protection.
Users Can With authorisation from the Lab or Department Head, users may, under certain circumstances, carry Lab assets within the organisation's premises for work-related purposes. Users Can't 1. Taking any lab assets out of the organisation without the lab's consent. 2. Unless the Lab gives permission, USB drives cannot be utilised in organisational systems. Lab Can 1. IT person are in charge of setting up systems and protocols to help classify information. Lab Can't 1. They should not risk the accuracy of the information classification process by permitting unauthorised access to classified information.
HUMAN RESOURCES SECURITY
Prior to employment To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
During employment To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organisational security policy in the course of their normal work, and to reduce the risk of human error.
Termination or change of employment To ensure that employees, contractors and third party users exit an organisation or change employment in an orderly manner.
Users Can 1. Have the ability to view their own payroll by entering their employee ID and password. 2. Can make them understand more by asking clarifying questions and encouraging open communication. Users Can't 1. It is improper to disregard or interrupt the opinions of others since it obstructs effective communication. 2. Using informal or technical language that could be confusing to your coworkers. Lab Can 1. Contribute to reducing the risk of theft, fraud, or misuse of facilities. 2. Ensure that employees, contractors, and third party users are aware of information security threats. 3. Facilitate an orderly exit or employment change process for employees, contractors, and third-party users. Lab Can't 1. Neglect to inform users about information security threats or their responsibilities 2. Fail to provide the necessary support for organisational security policies. 3. Disregard established procedures for the exit or employment change of users.
PHYSICAL AND ENVIRONMENTAL SECURITY
Secure areas To prevent unauthorised physical access, damage and interference to the organisation’s premises and information.
Equipment security To prevent loss, damage, theft or compromise of assets and interruption to the organisations activities.
Users Can 1. Access authorised areas based on their role and responsibilities. 2. Use equipment as per their designated purpose. Users Can't 1. Equipment shouldn't be kept next to air conditioners, heater vents, radiators, or other duct work, nor should it be visible through window or door openings. 2. Never permit the moving or servicing of equipment unless the task has been pre-authorised and the service workers can show a legitimate work order and identity verification. 3. Confidential print copies shouldn't be thrown in public trash unless they have been destroyed. Lab Can 1. Implement and maintain physical security measures to prevent unauthorised access. 2. Implement security protocols to prevent loss, damage, or theft of equipment. Lab Can't 1. Neglect the implementation and monitoring of physical security measures. 2. Fail to establish and enforce security protocols for the protection of organisational assets.
COMMUNICATION AND OPERATIONS MANAGEMENT
Operational procedures and responsibilities To ensure the correct and secure operation of information processing facilities.
Third party service delivery management To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.
System planning and acceptance To minimise the risk of systems failures.
Protection against malicious and mobile code To protect the integrity of software and information.
Back-up To maintain the integrity and availability of information and information processing facilities.
Network security management To ensure the protection of information in networks and the protecting of the supporting infrastructure.
Media handling To prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption to business activities.
Exchange of information To maintain the security of information and software exchanged within an organisation and with any external entity.
Electronic commerce services To ensure the security of electronic commerce services, and their secure use.
Monitoring To detect unauthorised information processing activities.
User's Can 1. All of the data is shared with the Administrator Group and the designated user or groups. 2. Work with their files from Data Server. 3. Mac users can only use the mounted drive (Data drive) on the dock and the password is always required to access when boot up. User's Can't 1. Save files in local workstation. 2. Obtain data from Person A to person B by themself, as they need to have department head approval and submit a request form to Lab if they require Person B's data immediately. Lab will then add Person A's permission to Person B's folder. 3. Provide your company's login credentials to any third parties unless the vendor requests it and Lab authorises it. Lab Can 1. Develop and maintain operational procedures for secure information processing. 2. Establish and enforce backup procedures to maintain information integrity and availability. 3. Implement monitoring systems to detect and respond to unauthorised information processing activities. Lab Can't 1. Neglect the development and maintenance of operational procedures. 2. Disregard established guidelines for secure media handling, leading to potential asset compromise. 3. Fail to implement monitoring systems to detect and respond to unauthorised information processing activities.
ACCESS CONTROL
Business requirement for access control To control access to information.
User access management To ensure authorised user access and to prevent unauthorised access to information systems.
User responsibilities To prevent unauthorised user access, and compromise or theft of information and information processing facilities.
Network access control To prevent unauthorised access to networked services.
Operating system access control To prevent unauthorised access to operating systems.
Application and information access control To prevent unauthorised access to information held in application systems.
Mobile computing and teleworking To ensure information security when using mobile computing and teleworking facilities.
Users Can 1. Ask to look over websites relevant to your task. 2. The user can utilise osTicket to submit a request to Lab for access to the website if they require it for work. 3. Certain departments are permitted to use the following apps: iMessage, WeChat, WhatsApp, Skype, LINE, and others—to mail or phone suppliers or customers. User's Can't 1. Emails containing sensitive, amusing, lighthearted, or sexually explicit language, texts, or images should not be sent. 2. Have full internet access except for Dept Head/Manager. Lab Can 1. Manage and enforce user access policies to ensure authorised access and prevent unauthorised access to information systems. 2. Implement controls to prevent unauthorised access to networked services. 3. Implement controls to prevent unauthorised access to information held in application systems. Lab Can't 1. Neglect user access policies or allow unauthorised access to information systems. 2. Neglect the implementation of controls to prevent unauthorised access to networked services. 3. Neglect the implementation of security measures to ensure information security when using mobile computing and teleworking facilities.
INFORMATION SECURITY INCIDENT MANAGEMENT
Reporting information security events and weaknesses To ensure information security events and weaknesses associated with information systems are communicated in manner allowing timely corrective action to be taken.
Management of information security incidents and improvements To ensure a consistent and effective approach is applied to the management of information security incident.
Users Can't 1. Talk to no one else about the incident unless specifically instructed to do so. Selecting which audiences to notify about an event that is just beginning to come together requires careful consideration. It is best to inform only those who are really necessary about the breach; if you don't, things can get worse. Lab Can 1. Establish and manage a system for reporting information security events and weaknesses. 2. Ensure that users have a clear and accessible means to report incidents. Lab Can't 1. Disregard reports of information security events or weaknesses. 2. Fail to implement improvements based on insights gained from incident management.
COMPLIANCE
Compliance with legal requirements To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.
Compliance with security policies and standards, and technical compliance To ensure compliance of systems with organisational security policies and standards.
Information systems audit considerations To maximise the effectiveness of and to minimise interference to/from the information systems audit process.
Users Can 1. If you have any questions concerning any area of information security, get guidance from the Lab. 2. Report any suspected or actual data loss. 3. If you think the password might have been compromised, you can ask Lab to change it. 4. Respect both Lab policies and the law. Users Can't 1. Tell no one what your password is. 2. When conducting business for your organisation, use a personal email address. 3. Compromise or attempt to compromise computer system security. 4. Make copies of information on banned organisations without authorisation. 5. Give people who are not authorised access to the organisation's information or systems. 6. For any other service, use the password from your organisation. 7. Connect mobile devices or storage that you own individually to equipment that belongs to the organisation. 8. Leave your computers unlocked when left unattended. Lab Can 1. Help and assist in the information systems audit process to make it as effective as possible. 2. Create steps or methods to reduce disruptions to the information systems audit process. Lab Can't 1. Purposefully disrupt or obstruct the information systems audit process. 2. Provide false or misleading information during the audit process.