Overview and Purpose

[variable: Covered Organization] has been entrusted with sensitive, private data to accomplish its goals. To a great degree, our business processes depend on the oingoing availability, integrity, and confidentiality of this data. Sound software and hardware security controls support these goals.

[variable: Covered Organization] requires that appropriate administrative, physical, and technical controls be incorporated into all new and modified applications. [variable: Covered Organization] systems must institute security controls that encompass software; systems; and relevant organizational activities, such as software changes, application installation and maintenance, and hardware updates. In addition the organization must record and preserve audit trails of all such changes.

Coverage

This policy applies to all staff and management responsible for installing, using, maintaining, upgrading, and otherwise changing the hardware or software that comprises [variable: Covered Organization] systems.

Roles and Responsibilities

[Note: Content in this section is for demonstration purposes only. Replace it with information relevant to your own organization if you use this policy template.]

Director

• Publishes and maintains policy guidelines for securing [variable: Covered Organization] hardware, operating systems, and application software
• Ensures that an application manager/supervisor is assigned for each [variable: Covered Organization] application
• Ensures that all hardware, operating systems, and application software security controls safeguards are in place for all [variable: Covered Organization] applications systems

Information Security Officer

• Prepares policy guidelines for securing [variable: Covered Organization] hardware, operating systems, and application software
• Periodically, or at a minimum [variable: Time period], reviews the [variable: Covered Organization] hardware, operating systems, and application software security controls that are in place

Application Managers/Supervisors

• Assigns application security level designations
• Ensures employees are aware of all [variable: Covered Organization] hardware, operating systems, and application software security requirements
• Monitors employee activities to ensure compliance with the [variable: Covered Organization] hardware, operating systems, and application software

Security Officer – Local or System Specific

• Works with [variable: Covered Organization] personnel to ensure [variable: Covered Organization] hardware, operating system, and application software controls are documented in [variable: covered Organization or Systems] procedures
• Monitors [variable: Covered organization or systems] and [variable: Covered Organization] employees to ensure compliance with hardware, operating systems, and application software policy requirements

Policy

Procedures shall be in place to ensure that maintenance and repair activities are accomplished without adversely affecting system security. The procedures shall:

• Establish who performs maintenance and repair activities
• Contain procedures for performance of emergency repair and maintenance
• Contain the management of hardware/software warranties and upgrade policies to maximize use of such items to minimize costs
• Describe how items are serviced through on-site and off-site maintenance (e.g., escort of maintenance personnel, sanitize devices removed from the site)
• Describe control of remote maintenance services where diagnostic procedures or maintenance are performed through telecommunications arrangements

The following configuration management practices shall be documented and maintained for all [variable: Covered organization or system] applications:

• Version control that associates system components with the appropriate system version
• Procedures for testing and/or approving system components (operating system, other system, utility, applications) prior to promotion to production
• Impact analyses to determine the effect of proposed changes on existing security controls, to include the required training of both technical and user communities associated with the change in hardware/software
• Change identification, approval, and documentation procedures
• Procedures for ensuring that contingency plans and other associated documentation are updated to reflect system changes
• Procedures for using test “live” test data or made-up data
• Procedures on how emergency fixes are handled

All software, operating systems, and patches shall be installed in accordance with [variable: Country] copyright regulations, applicable licenses, and [variable: Covered Organization] policy.

Enforcement

Unauthorized personnel are not allowed to see or obtain sensitive data. Gross negligence or willful disclosure leading to illicit exposure of [variable: Covered Organization] information may result in prosecution for misdemeanor or felony resulting in fines, imprisonment, civil liability, and/or dismissal. [variable: Cite relevant laws, policies, or statutes to support enforcement.]

Supporting Documentation

This policy is supported by the following rules, standards, and procedures:

• [variable: internal documents (with links, if available)]
• [variable: external documents (with links, if available)]

Policy Support Contact

• [variable: title (not personal name) of role responsible for overseeing this procedure]
• [variable: Contact information of office responsible for overseeing this procedure]

References

Policy Model(s)

Federal Agency Security Practices, US Government, National Institute of Standards and Technology (NIST)