none
Document Control
Item
Description
Document
Title:
Doc Ref:
Version:
0.2
Classificatio
n
Public
Confidential
Strictly Confidential
Status:
Current
Internal
Type:
Draft
Release Date:
Revision Date:
Author:
Owner:
Version
No.
Date
Author(s)
Remarks
20/02/2014
Internal
Date
Reviewer(s)
Remarks
V0.2
Page 1 of 15
Contents
Document Control.................................................................................................. 1
Introduction........................................................................................................... 4
Overview............................................................................................................ 4
Purpose............................................................................................................... 4
Scope.................................................................................................................. 4
Compliance and enforcement............................................................................. 4
Deviations from Policy........................................................................................ 4
Roles and Responsibilities................................................................................... 5
Policy Statement.................................................................................................... 6
Principles of Implementation................................................................................. 6
General............................................................................................................... 6
System Account.................................................................................................. 6
Physical Security................................................................................................ 7
Desktop, Laptop and Portable Device Security...................................................7
Password Usage.................................................................................................. 8
Mobile Devices Usage......................................................................................... 8
Email Usage........................................................................................................ 9
Internet Usage.................................................................................................... 9
Computer Virus................................................................................................. 11
Software installation......................................................................................... 11
Clear Desk Clear Screen................................................................................... 12
Document Security........................................................................................... 12
Incident Reporting............................................................................................ 13
ISO 27001:2013 References................................................................................ 14
ISR Reference...................................................................................................... 14
20/02/2014
Internal
V0.2
Page 2 of 15
Definition
XYZ
Xyz.co
ISMS
IT Department
CISO
VPN
LAN
IP Address
CD-ROM
PDA
IDF
USB
LAN
IAI
IAC
AV
Asset Value
OS
Operating System
CIA
ISO
20/02/2014
Internal
V0.2
Page 3 of 15
Introduction
Overview
XYZs Acceptable Use policies are in place to protect employees and the
organization from inappropriate usage of resources that exposes XYZ to risks
including virus attacks, compromise of network systems and services and legal
issues.
The Acceptable Use Policy is covers not limited to following
Purpose
The purpose of this policy is to define the acceptable use of XYZs IT resources
such as the Internet, email, networks and other IT information assets.
Scope
This policy applies to all employees, contractors, consultants, temporaries and
other workers at XYZ, including all personnel affiliated with third parties. In
addition, this policy applies to all XYZ owned IT equipment, assets and resources.
20/02/2014
Internal
V0.2
Page 4 of 15
Responsibility
Chief
Information
Security Officer (CISO)
Department Staf
End-users
20/02/2014
Internal
V0.2
Page 5 of 15
Policy Statement
XYZ end-users shall use the IT Systems and associated privileges for business
purpose and shall not misuse IT Systems and privileges. XYZ IT department shall
develop necessary policy and awareness programs to educate the users with
respect to acceptable usage practices and shall enforce necessary technical
controls to monitor, prevent any inappropriate usage.
Principles of Implementation
The principles that need to be followed for the efective implementation of the
Acceptable Usage Policy are explained in this section.
General
IT resources and other messaging services provided by the IT Department and its
customers should be used primarily for business purposes. All IT information
assets and resources allocated by XYZ are its property and cannot be considered
private. The following rules apply to all employees using XYZs information
resources:
1. Employees are responsible for exercising good judgement regarding the
reasonableness of personal use
2. Employees should consult their supervisor or manager if there is any
uncertainty.
3. It is the responsibility of IT users to ensure that they use no illegal or
unauthorised software or hardware.
4. The XYZ IT Department reserves the right to audit networks and systems
to ensure compliance with this policy.
5. Users shall ensure communicating the information or resources with
authorized personal
6. Employees shall not read, discuss or otherwise expose XYZs business
sensitive information on airplanes, restaurants, public transportation or at
other public places
System Account
1. XYZ information resources are provided to the users for job related
purpose and necessary system privileges are granted only where there is
a legitimate business need.
2. XYZ IT does not allow the use of XYZ IT and Communication resources for
personal use, including repositories for personal data.
3. XYZ has deployed right e-fax for official purpose and employees shall use
e-fax services with utmost care and as per the guidelines.
4. XYZ will ensure that each end user will sign an Acceptable Use statement
prior to being granted access to an information system.
5. Computer and information systems shall be used in a manner that
maintains confidentiality and protects the information contained on the
XYZ IT systems.
6. XYZ Staf may only gain access to and use systems for which they are
specifically authorized to.
20/02/2014
Internal
V0.2
Page 6 of 15
Physical Security
1. XYZ staf provided with XYZ Identity cards shall always visibly display
their identity card within the XYZ premises.
2. It is everyones interest to ensure that the physical access controls to XYZ
premises operate efectively. XYZ Staf shall cooperate and comply with
XYZ physical security measures.
3. Access to computer rooms and sensitive areas shall be controlled. Only
authorized staf are allowed to access to such areas (e.g., Data centre,
network room, computer room, etc.,).
4. Unauthorised personnel are allowed neither into XYZ premises nor to use
the computer resources of XYZ IT.
5. XYZ IT Information systems and resources shall not be moved out of XYZ
premises without appropriate approval from CISO.
Reference: XYZ ISMS Physical and Environmental Policy
V0.2
Page 7 of 15
7. Laptop Users shall ensure that any data stored on the local disk is copied
to the central file server for backing up.
8. Laptops shall be carried as hand luggage to prevent damage and
unauthorized access when travelling.
Password Usage
1. Use strong password - eight or more characters password mixed with
upper case, lower case, letters with numbers and special charter
2. Dont use a correctly spelled word in any language, because dictionary
attack software can crack these in minutes
3. Change your password regularly this way, if your password does fall into
the wrong hands, it wont be usable for long. It is best to change your
password every 90 days.
4. Dont use personal information such as your name (or the name of a
relative or pet), birthday or hobby, because these are easy to guess
5. Dont disclose your password to unauthorized users
Reference: XYZ ISMS Password Policy
20/02/2014
Internal
V0.2
Page 8 of 15
Email Usage
1. Users shall ensure that the XYZ email facility is used for official purpose
only.
2. Users shall be responsible for the content of email originating from their
official email ID
3. Users shall refrain from using their official email ID for personal
communications.
4. Users shall not allow others to use their official email ID for any kind of
email communication.
5. Users shall not use others official email ID for any kind of email
communication instead use own email ID
6. Users are prohibited from sending, receiving or forwarding following
categories of emails using official email facility:
a. Emails containing defamatory, ofensive, racist or obscene remarks.
b. Emails that contains viruses or worms
c. Chain mails like mails forwarded from a chain of people usually
containing hoaxes, jokes, music, movies and others.
d. Emails containing any document, software, or other information
protected by copyright, privacy or disclosure regulation.
7. Users shall exercise caution in providing their official email account to
external websites such as discussion board/ mailing list etc.
8. Users shall be aware that they are provided with a fixed amount of mail
box space for various official email communication
9. Users shall ensure that any email communications is within the fixed size
for transmission and any over sized communication shall be made through
other appropriate channels as authorized by the IT department.
10.Users shall use the official email client i.e. outlook for all kinds of official
email communications.
11.Users shall be aware that they are responsible for management of any
local copy of mailbox that they are storing in their laptop or desktop.
12.User shall password protect the local copy of mail box with a strong
password.
13.Users shall ensure that email communication containing sensitive
information is protected during transmission using appropriate mechanism
as authorized by the IT department.
14.Users shall promptly report any kind of security incidents related to the email system to the IT department through appropriate channel.
15.Users shall be aware that XYZ reserves the right to monitor email
messages and may intercept or disclose or assist in intercepting or
disclosing e-mail communications to ensure that email usage is as per this
policy. XYZ may use the intercepted email as an evidence to prosecute the
user if required.
16.Users shall be held responsible for any misuse of email communication
originating from their account. In the event of misuse the users email
account shall be terminated and adequate disciplinary actions may be
taken
Reference: XYZ ISMS e-Mail Policy
20/02/2014
Internal
V0.2
Page 9 of 15
Internet Usage
1. Users shall ensure that the XYZ internet facility is used strictly for official
purposes only.
2. Users shall refrain from establishing unauthorized means of accessing
internet such as personal modems, mobile cards, unauthorized wireless
access points etc
3. Users shall ensure that they follow appropriate authentication mechanism
to access internet through the corporate internet facility
4. Users shall ensure that they do not access the corporate internet facility
with credentials of another user
5. Users shall ensure that they do not allow another user to access the
corporate internet facility with his/her credential
6. Users shall not use corporate internet facility to access illegal or unethical
websites propagating information on gambling, obscene material,
violence, weapons, drugs, racism, hate and other similar explicit contents.
7. Users shall not share official information with external websites unless
otherwise authorized by the management
8. Users shall not use internet to download and distribute malicious software
in the corporate network of XYZ
9. Users shall promptly report any kind of security incidents related to
internet to the IT department through the appropriate channel.
10.Users shall be held responsible for any misuse of Internet access
originating from their account.
Reference: XYZ Internet usage policy
20/02/2014
Internal
V0.2
Page 10 of 15
Computer Virus
1. User shall report any malicious content detected, configuration change or
any unusual behaviour in their systems to IT Help Desk team.
2. Any machine thought to be infected by a virus shall immediately be
disconnected from XYZ IT network.
Reference: XYZ ISMS Antivirus Policy
Software installation
1
2
20/02/2014
Internal
V0.2
Page 11 of 15
Document Security
1. Users shall collect the printouts and photocopy immediately from the
printers and photocopier.
2. Users shall ensure that unused printouts are shredded appropriately.
3. In order to reduce the risk of unauthorized access to the XYZ information
users shall adopt Clear Desk policy. This shall be ensured by keeping all
the documents in safe custody such as lock and key arrangement.
4. All documents containing sensitive information shall be labelled as per
information classification and labelling guidelines.
5. Documents containing confidential information shall have retention period
and shall have proper disposal/destruction process to avoid any
unauthorized access to that data.
6. XYZ IT Department shall ensure to display warning notices on the fax
coversheets to the efect that the message is meant for the recipient only
and the use of the message by any other party will be deemed
unauthorized or illegal.
20/02/2014
Internal
V0.2
Page 12 of 15
Incident Reporting
1. Users shall promptly report all incidents through the appropriate channel
as provided by the IT department. This may include (not limited to):
a. Loss of service, equipment or facilities
b. Information leakage or loss
c. System malfunctions or overloads
d. Human errors
e. Breaches of physical security arrangements
f. Uncontrolled system changes
g. Access violations
h. Successful hacking attempts
i. Virus incidents involving e-mail, Internet, USB, CD diskette and
others
j. Malfunctioning of systems, software or hardware
k. Misuse of IT resources
l. Unacceptable use of information assets
m. Power problems
n. Suspicious activities
o. Physical security breaches
p. Security weakness
q. Fire
r. Theft of company property
s. Password sharing or compromise
t. Non-compliances with policies and procedures
2. Users shall support the incident response team in its response to contain
the incident and take necessary corrective & preventive actions.
3. Users shall refrain from tampering any source of evidence or audit logs on
information systems that may be required for future audit and prosecution
purposes.
Reference: XYZ ISMS Security Incident Management Policy
20/02/2014
Internal
V0.2
Page 13 of 15
ISR Reference
2.6.1-Develop, distribute and maintains an acceptable use policy
****End of document****
20/02/2014
Internal
V0.2
Page 14 of 15