|
------- INDEX AND GLOSSARY. DO NOT CHANGE OR DELETE! ----------
Open IT Policy Index
-
Acceptable Use, Administrative or Special Access (Policy)
-
Acceptable Use, Email (Policy)
-
Acceptable Use, Internet (Policy)
-
Acceptable Use, Virtual Private Network (VPN) (Policy)
-
Access Controls, Account (Policy)
-
Account Management (Policy)
-
Change Management (Policy)
-
Computer Virus Prevention (Policy)
-
Contingency Planning (Policy)
-
Data Backup and Storage (Policy)
-
Data Marking, Handling, Processing, Storage, and Disposal (Policy)
-
Deferral of System Security Certification or Accreditation, Annual (Form)
-
General Information Security Management (Procedure)
-
Green Computing (Policy)
-
Incident Response (Policy)
-
Intrusion Detection (Policy)
-
Logging and Audit Trails (Policy)
-
Mobile Computing and Network Access (Policy)
-
Network Access (Policy)
-
Network Access Controls (Standard)
-
Network Configuration (Policy)
-
Network Data Privacy (Policy)
-
Password Management (Policy)
-
Personnel Security (Policy)
-
Physical Security (Policy)
-
Policy Application Checklist (Administrative Utility)
-
Secure Media and Data Handling (Procedure)
-
Secure Software Development Lifecycle (Standard)
-
Social Computing and Networking (Policy)
-
Software and Hardware Security Controls (Policy)
-
Spam and Unsolicited Commercial Email Prohibition (Policy)
-
System Security Certification/Accreditation, Annual (Form)
-
System Security Certification/Accreditation, Annual (Policy)
-
Telecommuting Agreement, Employee (Form)
-------------------------------------------------------------------------------------------------
Overview and Purpose
[This procedure needs an overview. Can you help write one?]
Coverage
All individuals who access, store, use, transport, or ship
information resources, including hardware and physical media that contain organizational data.
Policy
Access and Custodianship
-
Sensitive data shall only be given to those employees with a need to know and who have authorized access in the performance of their official duties.
-
Sensitive information must not be left unattended, even temporarily
-
Sensitive data must remain in an authorized employee’s physical
control at all times
-
Sensitive information being hand-carried must be kept with the individual and protected from unauthorized disclosure.
-
Sensitive media and documents must be kept in a secure safe or a locked cabinet and returned to the safe each evening or during any work breaks greater than [variable: Time period]
-
Sensitive information shall be put out of sight when visitors without authorization to view the data are present
-
Physical, environmental protection controls shall be provided for sensitive data contained in a media storage vault or library.
-
Sensitive information must not be discussed with unauthorized parties
Media Labeling
-
All [variable: Covered Organization or system] data and information that is sensitive and should be dated and marked as such.
-
External labeling shall include any special handling instructions (e.g., log/inventory identifiers, controlled access, special storage instructions, release or destruction dates)
Transport
All sensitive information transported through postal or
vendor services shall be secured using the following procedure:
-
Double-sealed
-
Marked “CONFIDENTIAL Designated Official Only”
-
Receipt and delivery of sensitive data must be monitored and accounted for to ensure that data is not lost and potentially compromised while in transit.
-
In shipments of multiple media boxes or other units, each unit must be itemized and individually trackable
Disposition
-
All magnetic storage media that contaisn sensitive data must be sanitized when it is no longer needed to store sensitive data.
-
A degausser that meets [variable: Covered Organization] specifications may be used to purge most magnetic media.
-
[variable: Document specifications here]
-
Software overwrite procedures may be used as an alternative to degaussing rigid media.
-
Magnetic floppy disks containing sensitive information may be destroyed by burning or shredding. Crosscut shredders, which produce a residue particle size not exceeding 1/32 of an inch in width by ½ inch in length, may be used to destroy magnetic floppy disks that have been removed from the protective covering.
Enforcement
Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [variable: Covered Organization]
Information Resources access privileges, civil, and criminal prosecution.
Supporting Documentation
This policy is supported by the following rules, standards, and procedures:
-
[variable: internal documents (with links, if available)]
-
[variable: external documents (with links, if available)]
Policy Support Contact
-
[variable: title (not personal name) of role responsible for overseeing this procedure]
-
[variable: Contact information of office responsible for overseeing this procedure]
References
Policy Model(s)
State of Texas, Department of Information Resources
|
Open IT Policy Project 
