1. Introduction: The purpose of data security is to ensure the business continuity and minimize damage by Preventing and minimizing the effect of security incidents. Data and Information security management gives an enabling mechanism to share information which ensures the protection of information and many computing assets.In order to protect the information, businesses need to implement rules and controls around the safety of information and the systems that store and process this information. This canusuallybe achieved by implementingnetwork security policies, standards, guidelines and procedures. There are three basic constituent of information security management Confidentiality– protect the sensitive information from unauthorized disclosure. Integrity - guard the accuracy and completeness of data and information and computer software. Availability–make sureto avail that information and important services to users when needed. This document states the Policy and outlines procedures,and best practices neededto create and maintain a secure environment in WWTC 2. Scope The information security policy and its related standards and procedures apply to all employees, contractors, temporary staff, agency staff, affiliates associated bodies and others with access to organization equipment. This includes visitors and any other Users, utilizing the network. It applies to all computer equipmentand accessories connected to the organization’s network or not, and software and information stored inside. 3. Employment practices Every employee, contractor and others with access to Organization equipment should have access to a copy of the data Security policy and this document. Contractors has to sign an agreement regardingthe acceptance of the organizations’ policy on information security, data confidentiality and the regulations and responsibilities relating information technology systems and services. Every employeewho will use information systems and associated equipment will be issued with the policy and the regulations. All new employees should be explained on the importance of information systems security and their role in it during induction. Network and Information Technologies Management should be notified whenever an employee is transferred or promotedor terminated in order to adjust information systems access privileges. The Head of the Department is responsible for Information Technologies security practices relating to Employment 4. Responsibility of Employees Every employee is responsible for Information Technologies security. No employee shall disclose confidential information to outsiders or other unauthorized employees. Organization information systems resources shall only be used for organization’s business purposes. Employees are also responsible for reporting any security incidents of which they become aware. The following activities are illegal or put the organization at risk and will be treated as industrial misconduct. • Stealing or copying information or software • Deliberate propagation of computer viruses, malwares etc. • Violating copyright including software copyright. • Confidentiality Breach. • Failure to maintain proper records • Failure to report security incidents • Visit illegal websites. • Failure to cling to software licensing and other business/contractual agreements 5. Policy I. Physical Environment and access • The Head of IT department is responsible for the Organization’s network security. • Employees are responsible for keeping locations securefrom which information can be accessed. • Heads of respective division/sections/unitsare responsible for physical security within their premises. • All Information technologies resources must be protected against fire, electric power fluctuations, water, physical damage and theft. • Choose proper protection method from among others, physical barriers, environmental detection and protection, insurance other risk management techniques, and cost. II. Data Classification ? All data collected by the organization must be classified for data sensitivity to ensure confidentiality, proper back up and recovery procedures are implemented. ? The data classification is based on its level of sensitivity and the impact to the organization ? The Business Owner, in together with IT Services must determine how data is to be used and access permission to individuals or group. ? Data stored on the organization’s core computer systems must not be copied or downloaded to any computer systems, or storage devices without permission of the Business Owner. III. Data Storage ? Data collected and stored on organization computer systems must be used only for the purpose for which it was originally collected and for organization’s interest. ? Data should not be extracted from organization computer systems and stored and manipulated on personal computers under any circumstances without approval of the Business Owner. ? Data must not be stored external to the organization without prior approval of the Head Information Officer ? WWTC material must not be hosted on external web sites without prior approval of the Head Information Officer. IV. User account and password management ? Access to WWTC computer systems must be controlled by usernames and passwords. ? The Identity Management System (IMS)in the organization will generate a username and initial password for all Users who require access to the organization’s computer systems. ? Usernames and passwords must be used properly, i.e., they must be confidential under any circumstances, must not contain vulgar and are not to be shared. ? Improper use of computer systems which is attributable to login may be considered as misuse and may lead to disciplinary action. ? WWTC employees (payroll staff) ? WWTC employeescan automaticallyaccess the organization’s computer systems once they have been entered in to the HR Management System and their employment with the organization has commenced ? Access to main system applications must be uniquely identified through username and password ? Access to the functional procedures within the core application will be provided on the basis of grouped functions determined by the Business Owner to ensure a proper segregation of duties. ? Access to the organization’s computer systems will automatically be removed on the last the day of employment as recorded within the HRManagement System. ? Access to the computer systems may be terminated at any time due to a breach in organization policy. ? Non-WWTCemployees (agency, contractors etc.) ? Non-WWTC employees will be provided with access to the organization’s computer systems once they have completed and submitted a H1-Network Account Form to IT Services ? Access to main system applications must be uniquely identified through username and password ? Access to the functional procedures within the core application will be provided on the basis of grouped functions determined by the Business Owner to ensure a proper segregation of duties. ? Access to the organization’s computer systems will automatically be removed on the last the day of employment as recorded within the HRManagement System. ? Access to the computer systems may be terminated at any time due to a breach in organization policy. V. Remote Access ? Remote access will be provided to all authorized employees via the organization’s VPN on the basis of strict controls that reduce the possibility of unauthorized access to organization systems and data. ? Users are not allowed to remote control PC workstations. Employees who need to access remote services must use the approved method of accessing that service ? The remote access services offered by the organization include: ? IPSEC VPN access for employees who needs access to non-public resources ? Remote access ? must be authenticated by usernames and passwords combination, ? must only be used for activities related to organization. ? to the organization’s network is considered an extension of the organizationnetwork, and is subject to all organizationpolicies relating to the use of computing facilities, including regulations on legal use of software VI. Wireless Access ? Wireless access to organizationsystems will be provided to all employees from certain locations on the campus (lobby and conference room), provided Users have proper hardware and software. ? Wireless access must only be used for Organization’s interest. ? All wireless access must be done via authorized access points that are installed and managed by the Organization. ? Use of unauthorized wireless equipment on campus premises is strictly prohibited ? All Organization policies relating to the use of computing facilities, including regulations on ethical and legal use of software, apply to the use of WWTC wireless access. VII. Internet/intranet access ? Access to the Internet and the WWTC intranet will be provided to all employees with a valid User account. On-line monitors and filters will be used to identify inappropriate, excessive or any unauthorized usage. ? Remote Users need to authenticate themselves before accessing the WWTC network by using the organization VPN. ? Under no circumstances a User is allowed to establish wireless access points (WAP), modems, Internet or other external network connections to organization systems, networks and organization information. ? Users are not allowed to use any new or existing Internet connections to provide new communication channels outside of the designated services provided by the Organization without proper approval of the Chief Information officer. These channels include electronic data interchange (EDI) arrangements, e- banking, electronic malls with on-line shopping and on-line database services. ? De Militarized Zone (DMZ) ? All computer systems, devices or network subnets that are accessible via Internet must be keptinside the DMZ. ? Firewall ? No traffic from the DMZ to internet, and vice versa, is allowed unless prior arrangements have been made with ITS to allow for such services. ? No traffic from the DMZ to the organization network, and vice versa, is allowed unless prior arrangements have been made with ITS to allow for such services. ? User workstation subnets ? No direct connections from the Internet to User’s PC workstations are allowed. ? No servers are allowed to be connected to User networks. ? Perimeter firewall – incoming connections ? To protect organization network Users from security attacks from the Internet, all external Internet traffic to the organization’s network is denied, unless explicitly permitted from CIO. ? Perimeter firewall – outgoing connections ? All internal traffic to the Internet is denied unless explicitly permitted. ? Changes to firewall ? Changes to the firewall rules that pose an unreasonable risk to the Organization is denied. If the risk is acceptable, granting of requests will then be dependent on network infrastructure limitations. ? Information security ? Organization, proprietary, or private information must not be sent over the Internet without encryption. ? Credit/Debit card numbers, log-in credentials, and other parameters that can be used to gain access to organization systems, networks and services, must not be sent over the Internet without encryption. ? At any point of time and without prior notice, organization management holds the right to inspect e-mails, personal files, and any other information stored on organization computers. This examination assures compliance with internal policies, supports performance of internal investigations, and assists with the organization information system management. ? Reasonable usage ? Use of organization computing resources for other than non-organization activities is not permitted. It is the responsibility of the Head of Management Unit to recover any costs associated with improper use of WWTC computing facilities. VIII. Wide Area Network • Unless granted by the CIO, employees will be in breach of this policy and will be subject to disciplinary or legal proceeding if they: • intercept private e-data • add or alter any equipment • redirect e-data • add any new points of presence (POP) on the public domain • read private e- data • copy any private e-data • modification of private e-data either in transit across the network or stored within any computer system. • Access to the organization’s data and voice communications network will always be secured and limited to listed employees.No other groups are to connect network devices to the WWTC network.Equipment to be added to the organization’s network must be Standard Network Architecture (SNA) compliant. IX. Local Area Network • Users must lodge an application with ITS to establish a new server. • A new server will not be connected to the Organization network until approved byITS and: i. Users or group of Users of the server are identified ii. system privileges for each group of User is determined iii. Proper Authentication process is implemented iv. intrusion detection strategies are implemented v. the server is fully patched and secured vi. procedures for backup and recovery of resources are documented • Organizationcan disconnect servers without warning if it is not patched or secured. X. Anti-virus • Licensed virus checking and removal software will be installed automatically on all organizationcomputer systems. • Anti-virus programs will be updated periodically. • Organization owned laptops will be updated automatically when connected to the WWTC network. XI. Software • Organization computer software, documentation, and all other internal information must not be sold or transferred outside organization for any purposes other than those authorized by the CIO. • Software or data must not be exchanged between the organization and any third party without prior agreement sign, specifying the terms of condition, as well as the ways in which the resources is to be handled and protected. XII. Encryption • Encryption should be applied to protect the privacy of sensitive or critical information. • When developing procedures, the following should be considered: o the management guidelines on the use of cryptographic controls across the organization, o including the general principles under which business information should be protected, o approach to key management, including methods to deal with recovery of encrypted information in case of any disaster or data loss, o roles and responsibilities, i.e. who is responsible for implementing the procedures; the key management, o how the appropriate level of cryptographic protection is determined, o standards to be adopted for the effective implementation throughout the organization. XIII. Voice mail Security The voice mail feature of many PBXs may be a particularly vulnerable feature. This is because voice mail typically allows someone to store voice messages at a central location by calling in from inside or outside line and then retrieve the messages from inside or outside line later point of time. It also grants the general public access to the PBX system. While retrieving messages, the target extension and a password are usually required to gain access to the messages. Since the target extension is easy to determine, the only significant restriction is the password. Once an attacker determines a target user’s password all messages left for the target user are accessible to the attacker. The attacker could also delete messages from the target user’s mailbox to prevent an important message from getting to the target user. Some guidelines to secure the contents of voice mail include the following: 1. Default and passwords which are easy to predict must be changed at initial log-in. 2. Fixed length passwords are more vulnerable than variable length passwords. 3. Non-terminated password entry should be avoided. Some systems accept a continuous string of digits, granting entry when the correct password sequence is entered. 4. Block access to external lines via the Voice Mail system. 6. Contingency planning Information owners are responsible for creating and coordinating respective recovery plans in the scenario of any short term loss or the disaster of the Department’s information technologies systems processing functions. Review and testing of the disaster recovery plan should take place periodically. A Contingency Plan should fill in with the roles, responsibilities and procedures for restoring a system or facility following a major disaster or any disruption. The following guidelines represent the stages to be followed in preparing and executing a Contingency Plan: Documentation – A plan including a mission, a scope of what is included and not included assumptions, requirements, staffing and responsibilitiesshould be properly documented, tested and communicated. Notification/Activation – Internally within IT, the notification, timing and pathsshould be documented. There should only be one voice talking for the recovery team for communicating and escalating outside the barriers of IT. Damage assessment and the plan is activated immediately. Recovery – The steps of recovery activities should be documented in procedures. These activities include restoring operations which may be in temporary locations or with incomplete data. Reconstitution - Restoring facilities and systems to the normalincludes testing and proof of operations viability 7. Disaster Recovery Plan A Disaster Recovery Plan is meantfor maintaining critical business processes in the scenario of the loss of any of the following areas over a period of time: • desktop computers and laptop, • servers, • Web sites, • local area networks(LAN), • wide area networks(WAN), • distributed systems, and • mainframe systems. The following roles and individuals must be determined and documented: • Upwards, within the affected agency’s organization. • Outwards to affected agencies. • Outwards to the public. 8. Legal Requirement All security related aspects of information processing may be subject to statutory or contractual security requirements. Each agency must be aware of their responsibilities as dictated by legislation and other legal commitments particularly as they apply to the information systems and practices required by the federal and state governments. All agencies should put in place the appropriate procedures to ensure compliance with legal considerations. 9. Software Copyright Proprietary software products are usually supplied under a license agreement that limits the use of the products to specified computers and may limit copying to the creation of back-up copies only. The following controls should be implemented: • publishing software copyright compliance procedures which define the legal use of software and information products, • maintaining awareness of the software copyright and acquisition procedures and giving notice of the intent to take disciplinary action against staff who breach them, • maintaining proof and evidence of licenses ownership, master disks, manuals, etc., • implementing controls to make sure that maximum number of users permitted is not exceeded, • maintaining a checklist that only authorized software and licensed products are installed, • providing procedures for maintaining appropriate license conditions, and • providing procedures for disposing or transferring software to others. 10. Protection of Information Important records must be protected from any loss, disaster anddestruction. Some records may need to be retained securely to meet regulatory requirements as well as to support essential business related activities. The time period and information content for retention may be set by respective organization leaders.Records should be categorized into record types, e.g. accounting records, database records, transaction logs audit logs and operational procedures etc., each with details of retention periods and type of storage media, i.e. paper, magnetic, optical discs. Any related cryptographic keys associated with encrypted archives or digital signatures, should be kept securely and made available to authorized persons when needed.Consideration should be given to the possibility of degradation of media used for storage of records. Storage and handling procedures should be implemented in accordance with Manufacturer’s recommendations. 11. Compliance with Security Policy WWTC must ensure that all security procedures within their area of responsibility aredocumented and carried out properly. All areas within the organization may be subject to periodical review to ensure compliance with security procedures and standards. These should include the following: • information systems, • systems providers, • information owners and information assets, • hosting agencies of information and information assets, and • users. Both the owning and hosting agencies should support periodical reviews of the compliance of their systems with the appropriate security procedures, standards and any other security requirements. All variances should be documented.