|
------- INDEX AND GLOSSARY. DO NOT CHANGE OR DELETE! ----------
Open IT Policy Index
-
Acceptable Use, Administrative or Special Access (Policy)
-
Acceptable Use, Email (Policy)
-
Acceptable Use, Internet (Policy)
-
Acceptable Use, Virtual Private Network (VPN) (Policy)
-
Access Controls, Account (Policy)
-
Account Management (Policy)
-
Change Management (Policy)
-
Computer Virus Prevention (Policy)
-
Contingency Planning (Policy)
-
Data Backup and Storage (Policy)
-
Data Marking, Handling, Processing, Storage, and Disposal (Policy)
-
Deferral of System Security Certification or Accreditation, Annual (Form)
-
General Information Security Management (Procedure)
-
Green Computing (Policy)
-
Incident Response (Policy)
-
Intrusion Detection (Policy)
-
Logging and Audit Trails (Policy)
-
Mobile Computing and Network Access (Policy)
-
Network Access (Policy)
-
Network Access Controls (Standard)
-
Network Configuration (Policy)
-
Network Data Privacy (Policy)
-
Password Management (Policy)
-
Personnel Security (Policy)
-
Physical Security (Policy)
-
Policy Application Checklist (Administrative Utility)
-
Secure Media and Data Handling (Procedure)
-
Secure Software Development Lifecycle (Standard)
-
Social Computing and Networking (Policy)
-
Software and Hardware Security Controls (Policy)
-
Spam and Unsolicited Commercial Email Prohibition (Policy)
-
System Security Certification/Accreditation, Annual (Form)
-
System Security Certification/Accreditation, Annual (Policy)
-
Telecommuting Agreement, Employee (Form)
-------------------------------------------------------------------------------------------------
Overview and Purpose
Intentional and unintentional misuse and abuse of [variable: Covered Organization] systems pose the greatest threats to information confidentiality, integrity, and availability. Therefore, [variable: Covered Organization] requires that all users of organizational information systems meet minimum personnel requirements related to the sensitivity of their roles, suitability for employment, personnel investigations, and other personnel security considerations.
Coverage
All personnel who use, manage, design, or implement [variable: Covered Organization]
Information Resources.
Roles and Responsibilities
Director
-
Publishes and maintains policy guidelines for personnel security
-
Determines the security access requirements for all positions
-
Ensures that all personnel have undergone the appropriate background checks and security training
Information Security Officer (ISO)
-
Prepares personnel security policy
-
Monitors the adherence to the personnel security policy
-
Ensures all personnel are trained in the computer security responsibilities and duties associated with their jobs
Supervisor
-
Communicates to the users the personnel security requirements outlined in this policy
-
Monitors the adherence to the personnel security policy
-
Ensures all personnel are trained in the computer security responsibilities and duties associated with their jobs
-
Informs [variable: covered Organization or System] Security Officer when access is to be removed
-
[variable: Role] is responsible for tracking new personnel account requests, creation, issues, and deletions.
[variable: Covered Organization or system] Security Officer
-
Monitors
compliance with personnel security policy
-
Promptly deletes passwords for systems and applications under their
control when users terminate employment, suspect passwords are compromised, or no longer need access
-
[variable: Role] is responsible for tracking users and their access authorizations.
Users
-
Understand their personnel security responsibilities and duties
-
Use [variable: covered Organization] information in accordance with job functions, internal policy, and external regulations and laws
-
Immediately notify supervisor of suspected misuse of data, security breaches, violations of policies and procedures, or compromise of password security
Policy
-
All organizational positions (users, application managers, system management personnel, and security personnel) must be defined. Security issues related to the functions and responsibilities of these positions must be be identified and addressed.
-
Access privileges for any given position must be based on principles of 1) Separation of Duties and 2) Least Privilege.
-
All employees are subject to a limited background check, depending on role and system access needs.
-
Employees shall be trained in computer security responsibilities and duties associated with their jobs.
-
User account management on a system will be reviewed not less than once per [variable: time period] and/or under the following criteria and conditions: [variable: review trigger(s) or criteria]
-
Managers will follow established procedures for:
-
Personnel transfers or discontinuation the associated changes to or removal of access privileges, system accounts, and authentication tokens.
-
Control of [variable: Covered Organization] physical keys
-
Training employees on their responsibilities for confidentiality and privacy
-
Return of [variable: Covered Organization] property and ongoing availability of data generated by individual employees.
-
Involuntary termination and consequences, such as suspension of user accounts and, in some cases, the physical removal of personnel from the [variable: Covered Organization] offices.
-
Periodic reinvestigation of personnel background and qualifications may be required.
Enforcement
Gross negligence or willful disclosure leading to illicit exposure of [variable: Covered Organization] information may result in prosecution for misdemeanor or felony resulting in fines, imprisonment, civil liability, and/or dismissal. [variable: Cite relevant laws, policies, or statutes to support enforcement.]
Supporting Documentation
This policy is supported by the following rules, standards, and procedures:
-
[variable: internal documents (with links, if available)]
-
[variable: external documents (with links, if available)]
Policy Support Contact
-
[variable: title (not personal name) of role responsible for overseeing this procedure]
-
[variable: Contact information of office responsible for overseeing this procedure]
References
Research Resources
|
Open IT Policy Project 
