Information Technology (IT) Policy
Every organization should have written policies surrounding the user security and maintenance of the technology systems within the organization. The following is a sample that can be used as a base for creating your own policy statements that fit your organization.
INFORMATION TECHNOLOGY SYSTEM SECURITY POLICY
A. Purpose:
It is the obligation of financial institutions to protect the security and confidentiality of client information. To insure that resources will be adequate, management must be comfortable that the information and/or processing capabilities are adequately protected from loss, misuse, unauthorized access or modification, unavailability, or undetected activities.
B. Overview:
The Security Policy may be viewed as a written process that provides for adequate, cost-effective security protection for the organization’s IT systems. Thus, it reflects input from organization staff, including functional “end users”, and the organization’s network administrator. Security Planning is a vital part of the overall IT Planning requirements for the system.
C. Scope:
The provisions contained in the security Policy cover the organization’s IT system resources.
D. Procedure:
The sensitivity level of the organization’s IT system will be determined based on the data processed and the importance of the system to the organization’s mission. The organization’s system must include security controls that reflect the importance of the information processed. The sensitivity level of the organization’s IT system will be identified in the following categories:
Confidential - contains systems and data that requires protection against unauthorized access in the interest of protecting the organization’s and client’s privacy.
Sensitive - includes systems and data that require some degree of protection due to integrity and or availability. This includes systems and data whose improper use or disclosure could adversely affect the ability of the organization to accomplish its mission.
Non-Sensitive – Systems and data that may be considered “trivial” as it may contain data, that has no protection required for confidentiality or integrity, and the mission of the organization can be accomplished without the system.
IT Systems
The IT system is comprised of hardware, software (programs), and telecommunications components. It may include individual applications, major software applications or a combination of hardware/software where the only purpose of the system is to support a specific mission related function. The system may also consist of hardware and software that provide general automated data processing or network support for a variety of users and applications. Individual applications may be less easily distinguishable, but such applications may contain sensitive information, or be critical to the mission of the organization. Even if none of the individual applications are sensitive, the support system itself may be considered sensitive if, the aggregate of applications and support provided are critical to the mission of the organization.
E. Responsibilities and Process:
The Board of Directors and the CEO will be accountable for all organization IT resources (i.e., hardware, software, data, telecommunications, etc.) as well as define system boundaries. The CEO and the Director of Operations will maintain the system security policies. The Director of Operations shall serve as the central point of contact for IT security and will monitor security policy requirements.
The CEO and Director of Operations will:
- Establish and maintain a list of organization’s IT system resources.
- Review and update the Security Policy as needed.
The security policy is intended to serve as a management tool for the organization in determining the sensitivity level and protection requirements for the IT system. The Security Policy describes the control measures in place and any planned control intended to meet the protection requirements of the system. The Security Policy can assist in determining whether or not current security measures are adequate. Properly documented, the Security Policy can be used as a “mini-risk assessment” that can and should be used to determine what additional action and/or resources are required to bring this system in line with operational and security requirements
The security Policy will contain security requirements and the controls implemented to provide protection against its vulnerabilities.
The security Policy must be dated. This will allow ease of tracking modifications and approvals.
Maintain the security Policy in an up-to-date manner. At least annually, the security Policy should be reviewed by the Board of Directors and management and updated to incorporate changes to the system.
SECURITY VERIFICATION AUDIT
A. Purpose
The purpose of this section is to establish procedures for conducting an information technology (IT) security verification audit. The purpose of the IT security verification audit is to provide a level of review and evaluation independent of the organization, that will verify that adequate and appropriate levels of protection are being provided for the organization’s systems, based on its unique protection requirements.
B. Overview
Protection requirements for the organization’s IT systems will vary according to the unique characteristics of the system, environmental concerns, data sensitivity and mission. Total protection against all threats may be an unrealistic goal. Appropriate levels of security must be determined by an evaluation of the threats, vulnerabilities and risk factors associated with the system. Cost-effective controls that are adequate to achieve an acceptable level of risk for the system must then be implemented.
The organization is responsible for identifying the risk levels of its systems, and preparing security Policies that provide a basic overview of the systems security and privacy requirements. The organization’s Policy for meeting those requirements include, conducting risk assessments, implementing controls determined to be required and cost-effective, developing contingency and disaster recovery Policies that will ensure availability of the system for mission accomplishment and completing all requirements for certification of the system. The IT security verification audit process provides an independent means to ensure that the organization has implemented adequate and appropriate levels of protection, based on the system’s unique requirements.
C. Policy
An IT security verification audit will be conducted annually on the organization’s IT system by an evaluation team under the direction of the supervisory committee. The IT system Security Policy will be used as the foundation for the security verification audit. The review will be conducted in accordance with the guidance from applicable policies, regulations and standards, and an independent auditor as determined by the supervisory committee.
D. Responsibilities and Process
IT Security Verification Audit Team
The IT security verification audit team will work under the direction of the supervisory committee or its designated representative. This should assure the organization’s board of directors and management that the level of knowledge and control about the organization’s IT security program requirements are adequate. Team members should include personnel knowledgeable about physical and environmental security, personnel security, information security, application security, hardware and software, telecommunications, technical controls, procedural security, contingency and disaster recovery planning and risk management. The actual number of team members may vary and should be limited to the smallest number possible to cover all areas of concern.
The organization’s CEO will be responsible for the planned review, conducting an in-briefing and an exit-briefing with the security verification audit team. He will also be responsible for conducting organization team meetings as required, making decisions about what recommendations are appropriate for the IT system and preparation of the draft and final “IT Security Verification Audit Report.”
MALICIOUS SOFTWARE
A. Purpose
The purpose or this section is to establish organization procedures to minimize the risk of introducing malicious software into computer systems. It also provides guidelines for the detection and removal of malicious software from information technology (IT) systems.
B. Overview
Malicious software presents an increasingly serious security problem for computer systems and networks. Malicious software includes viruses and other destructive programs, such as Trojan horses and network worms. This type of software is often written as independent programs that appear to provide useful functions but also contain malicious programs that can be very destructive. It can be quickly spread through software bulletin boards, shareware, and users unknowingly copying and sharing these programs in an unauthorized manner. Users sharing data files and software products can also spread it. Networks are particularly vulnerable as they allow very rapid spread of the virus to all systems connected to the network.
A program that is infected with a virus can infect any host in which the program is used. Because of the insidious nature or a virus, any user may become an unwitting propagator. The organization’s dependence on networked computer systems, personal computers (PCs), and office automation makes the organization susceptible to virus “attacks.”
Computer viruses have become a threat to virtually everyone using a computer. A virus can destroy programs and data by copying itself to other programs. It is then executed when the infected program is run. It can disable computers and entire computer networks. It can also cause lost computer time and staff resources to track and eliminate it.
Sound IT security procedures will help detect and prevent computer viruses and other malicious programs from spreading or causing damage. The guidelines contained in this document can be adapted for any type of computer system.
C. Background and Authority
Due to the widespread threat from computer viruses to the organization, it has become necessary to implement specific measures designed to reduce this threat and the potential damage caused by virus infections to the organization’s IT systems.
D. Scope
This procedure applies to all employees, personnel from other organizations, business partners and vendors using, operating or maintaining the organization’s IT systems.
E. Procedure
The organization will establish and implement processes and procedures to minimize the risk of introducing viruses and other malicious software, to ensure timely detection of viral infections, to provide procedures for eliminating viral infections from the organization’s inventory of PC’s, and to provide procedures to minimize the risk from malicious programs to larger systems.
F. Responsibilities and Process
The CEO and Director of Operations, are responsible for updating and monitoring the IT security program. This includes establishing IT security procedures for safeguarding the organization’s IT resources.
The Director of Operations shall serve as the central point of contact for all matters relating to IT security for the organization.
The CEO and Director of Operations are responsible for:
- Developing appropriate procedures and issuing instructions for the prevention, detection, and removal of malicious software consistent with the guidelines contained herein;
- Ensuring all personnel within the organization are made aware of this procedure.
- NEVER open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then “double delete” them by emptying the deleted items folder.
- Delete spam, chain and other junk email.
- Never download files from unknown or suspicious sources.
- Back up critical data and system configurations on a regular basis and store the data in a remote safe place.
Employees, personnel from other organizations using the organization’s systems, business partners and vendors are responsible for following procedures for the protection of the organization’s IT resources to which they have access. This includes reporting IT security incidents, involving viruses and other malicious software.
G. Requirements
The requirements defined in this section, when implemented, will minimize the risk from the introduction of viruses and other malicious software to the organization’s IT system and network. Not all requirements listed will apply to the organization’s IT system or network.
The organization must consciously evaluate the appropriateness of each of the following situations and implement those that apply.
- Backing up software and data. Employees should back up new software immediately, retaining the original distribution media in a safe and secure location. If a virus destroys the working copy, the original software is still available. Copying copyrighted software material without the vendor’s consent is illegal. If a vendor has not provided pre-approval of backup copies, employees must have vendor approval to create additional copies.
- Establish controls for local area networks that prevent anyone except the system administrator or other authorized staff from loading software on file servers. Ensure that operating system files and other executable files are read-only.
- If possible, disable the network mail facility from transferring executable files. This will help prevent network worm programs from spreading through the network. Insiders most often introduce Trojan horses and other similar malicious software programs and it is not unusual for larger systems to be the target. The best protection against attacks of this type is to establish good management procedures. Effective controls include separation of duties, limiting individual access and allowed actions to what is needed and no more, formal change control and configuration management procedures, separation and testing of development versus production software and control over installation of new software versions. Frequent backups of the system and data will allow recovery should an incident occur.
H.Authorized Software.
It is imperative that machine-readable software and data files be obtained from reliable sources. Viruses are often spread through free or shared programs, games, demonstration programs, and programs downloaded from bulletin boards. Employees must not use privately owned software or take software from their office without management approval. A violation will result in disciplinary action up to and including termination. Commercial software must be obtained through appropriate channels. In-house developed software must be done in accordance with established procedures and have prior management approval.
Shareware and freeware software must be obtained only with prior management approval. Software obtained electronically from bulletin boards should be downloaded to newly formatted diskettes and not directly to the computer hard disk. All newly acquired software, regardless of source, is subject to the scanning requirements in sub-paragraph 4 above.
Passwords. For larger systems and networks, user identification and passwords are the primary protection mechanism against malicious software. If the would-be perpetrators cannot get into the system, they cannot put malicious software on the system. When possible, all IT systems that are shared resources, including local area networks and multi-user stand-alone systems shall implement a user identification and verification system, such as a USERID and password. Procedures for establishment, structure, individual accountability, periodic changing and removal of USERID and passwords will be followed. Passwords to log in to the network and GBS will be required to be changed on a regular basis and must never be disclosed. Passwords to secure websites such as Clients United FCU will also have a password change requirement and also must never be disclosed.
Log files should be reviewed periodically to detect unusual activity. Terminals, workstations and networked PCs should never be left unattended when logged in.
Malicious Software Indicators
If the organization’s IT system seems to be acting different than usual, a malicious software incident may have occurred. Below are a few signs that may indicate that a system has been infected.
- Any unexplained messages or graphics on the screen,
- An increase in the time required to load or execute programs,
- An increase in the time required for disk accesses or processing from disk,
- Unusual error messages,
- Programs or files mysteriously disappearing,
- Less memory available than usual,
- Executable files changing size for no apparent reason,
- Accesses made to non-referenced devices,
- Data consistently out of balance,
- File date and time stamps changing for no apparent reason,
- Obsolete user accounts in use,
- The presence of unexplained hidden files and/or
- Unusual network activity.
(If a system demonstrates any of the above, it could indicate that malicious software is present.)
H. Elimination, Recovery and Reporting
If there is suspicion that a virus or other malicious software program has attacked the IT system or network, do not attempt to fix the problems, but immediately report it to a manager. The appropriate action to control the damage will be determined and a written report of the incident will be made. It is important that the particular virus or other malicious software program, source, and potential for proliferation be identified and controlled.
The initial report should be made within 24 hours of the incident. This report may be verbal and should include the following information:
- Date and time of incident
- Location
- Equipment type, make and model
- Malicious software type
- Method of discovery
- Virus name (if known)
- Source of malicious software (if known)
- Apparent effect
Within ten working days of the incident, a written report will be prepared. This report will include the following along with all of the above information:
- Impact on operations;
- Severity, including hours devoted to recovery and any additional costs incurred;
- Proliferation, number of machines or media infected;
- Action taken - how malicious software was cleared, who was notified, including outside organizations, and what steps were taken to identify the source;
I. Computer and E-mail Usage
Computers, computer files, the e-mail system, fax and software furnished to employees are [ENTER ORGANIZATION’S NAME HERE] property intended for business use. Employees should not use a password, access a file, or retrieve any stored communication without authorization. To ensure compliance with this policy, computer and e-mail usage may be monitored.
[ENTER ORGANIZATION’S NAME HERE] strives to maintain a workplace free of harassment and sensitive to the diversity of its employees. Therefore, [ENTER ORGANIZATION’S NAME HERE] prohibits the use of computers and the e-mail system in ways that are disruptive, offensive to others, or harmful to morale. For example, the display or transmission of sexually explicit images, messages, and cartoons is not allowed. Other such misuse includes, but is not limited to, ethnic slurs, racial comments, off-color jokes, or anything that may be construed as harassment or showing disrespect for others.
E-mail may not be used to solicit others for commercial ventures, religious or political causes, outside organizations, or other non-business matters.
[ENTER ORGANIZATION’S NAME HERE] purchases and licenses the use of various computer software for business purposes and does not own the copyright to this software or its related documentation. Unless authorized by the software developer, [ENTER ORGANIZATION’S NAME HERE] does not have the right to reproduce such software for use on more than one computer.
Employees may only use software on local area networks or on multiple machines according to the software license agreement. [ENTER ORGANIZATION’S NAME HERE] prohibits the illegal duplication of software and its related documentation.
Employees should notify their immediate supervisor, the Department Manager or any member of management upon learning of violations of this policy. Employees who violate this policy will be subject to disciplinary action, up to and including termination of employment.
J. Internet Usage
Internet access to global electronic information resources on the World Wide Web is provided by [ENTER ORGANIZATION’S NAME HERE] to assist employees in obtaining work-related data and technology. The following guidelines have been established to help ensure responsible and productive Internet usage.
All Internet data that is composed, transmitted, or received via our computer communications systems is considered to be part of the official records of [ENTER ORGANIZATION’S NAME HERE] and, as such, is subject to disclosure to law enforcement or other third parties. Consequently, employees should always ensure that the business information contained in Internet e-mail messages and other transmissions is accurate, appropriate, ethical, and lawful.
The equipment, services, and technology provided to access the Internet remain at all times the property of [ENTER ORGANIZATION’S NAME HERE]. As such, [ENTER ORGANIZATION’S NAME HERE] reserves the right to monitor Internet traffic, and retrieve and read any data composed, sent, or received through our online connections and stored in our computer systems.
Employees who violate this policy will be subject to disciplinary action, up to and including termination.