IT Security Policies

IT Security Policies
Prepared by:
Saltlake Infosolutions Pvt. Ltd.
G-5, Gnd Floor, Koyla Vihar Abhinandan,

VIP Road, Kolkata – 700052
Phone: +91-9831592533
Email – ctcl-iml@saltlakesoft.com
Web: http://www.saltlakesoft.com
[ORGANIZATION]
IT Security Policies [ORGANIZATION] 2010.1
This sample document and all of its contents are copyright of Saltlake Infosolutions Pvt. Ltd.
(http://www.saltlakesoft.com). All rights reserved.
2/[ORGANIZATION]/2010.1
Table of Contents
Information Technology Security Policies ................................................................................................. 4

Business Continuity Plan .......................................................................................................................... 8
Disaster Recovery Plan........................................................................................................................... 14
Incident Response Plan .......................................................................................................................... 19
Risk assessment procedure .................................................................................................................... 27
Information Security Policy .................................................................................................................... 31
Network Security Policy ......................................................................................................................... 37
Backup Policy......................................................................................................................................... 42
User Management and Access Control Policy ......................................................................................... 50
Password Policy ..................................................................................................................................... 56
Application Software Policy ................................................................................................................... 60
Audit Trail Policy .................................................................................................................................... 63
Anti-Virus and Firewall Policy ................................................................................................................. 70
Change Management policy................................................................................................................... 77
Change Management policy
Overview
As IT infrastructure at [ORGANIZATION] grows, the dependence on IT Resources increases across

functions. These IT Resources could be Application Software, System Software and Operating Systems,
Hardware (including Server and Client machines), Network infrastructure etc.
From time to time, these IT Resources may need to undergo changes which could be planned upgrades
or maintenance. In addition, unexpected events can occur which require upgrades or maintenance of
the resource. During the upgrades or maintenance, the IT Resource could be unavailable or partially
available.
It is critical for the organization to manage the changes occurring due to planned or unplanned events in
such a way that the disruption in the business services of the [ORGANIZATION] is minimized.
Purpose
The purpose of the Change Management Policy is to manage changes in a rational and predictable
manner so that staff members and clients can plan accordingly, to minimize disruption in the business
services of the [ORGANIZATION].
The Change Management Procedures are designed to provide an orderly process and control under
which all change requests made for [ORGANIZATION]’s IT infrastructure are reviewed and approved
prior to the installation or implementation of the change. Furthermore, it also defines the procedure
and steps which need to be followed in case any Unplanned or Emergency change takes place.
Scope
Any change in [ORGANIZATION]’s IT environment requires approval via the process defined in this
policy.
This policy applies to:

• All employees, users and clients
• Changes made to all Information Technology systems and services
• Hardware upgrades or additions
• Network changes
• Infrastructure changes
• Security patches / changes
• Software upgrades, updates, or additions

• System architecture and configuration changes
Definitions
Planned Change: A change for which Formal notification received, reviewed, and approved by the
Management in advance of the change being implemented.
Unplanned Change: Failure to present notification to the formal process in advance of the change being
made. It happens in case of unexpected changes, where time is too short to follow any formal
procedure.
Emergency Change: An immediate on-spot response required for an Incident requiring an urgent
solution which is needed to prevent widespread service or system disruption.
Process
The Change management process will consist of the following general procedures which are required to
be followed for all types of changes and few specific procedures which will be followed for respective
type of change being made, i.e. planned, unplanned & emergency changes.
General procedures applied to all type of changes:

• A written request has to be made.
• An advance approval has to be obtained.
• Must be assessed for impact, risk and priority.
• Must be tested in advance as thoroughly as possible/reasonable.
• Must be documented with all supporting documentation updated to reflect the change.
• Only in exceptional circumstances urgent changes may be made out with the normal process
and in any event they must be fully recorded in retrospective manner.
• Communications must ensure that the effect of a change is properly made available to those
who are significantly affected or on need to know basis.
• A Change Review must be completed for each change, whether planned or planned, and
whether successful or not.
• A Change Management Control Log must be maintained for all kind of changes.
Planned Change Procedure

Any potential change made to the [ORGANIZATION]’s IT resources must be communicated to the
Management by the System Administrator & his team responsible for changes. The Change Request
Form must be used for communicating the potential change.
The following procedure should be followed in case of a Planned Change:
1. A Change Request Form must be filled and submitted to the senior management for providing
necessary details and information about the change. e.g.
a. Why the change is required?
b. Who is responsible for implementing the change?
c. The estimated date of the change.
d. A description of the change, including a timeline and potential risks associated.
e. Whether the change has been approved by other staff in charge of resources that may
be affected, if any.
f. The IT staff members who are involved in change must be listed.
g. What assistance will be needed by other employees, if any.
2. Potential changes must be communicated before several working days in advance of when the
work is to be done.
3. After receiving notification of a potential change, any user/employee who needs more
information or has an objection to the change should contact the System Administrator.
4. In the event that an objection to the change cannot be resolved informally, the Director or
Senior Management person involved will call a meeting of all involved parties to resolve the
dispute.
Unplanned Change Procedure

For Unplanned Changes, all the steps in the general procedure mentioned above will be followed except
for advance notification.
Emergency Change Procedure

• All emergencies will be handled on a case-by-case basis by the System Administrator
with the approval of the Management.
• Approval must be obtained to execute the change from management.
• Users and/or staff affected by the emergency will be notified as soon as possible.
• Actions taken for dealing with the changes will be taken care by the System
Administrator as soon as possible.
• All change procedures must be recorded in retrospective manner and preserved with
necessary supporting documents.
In the case of emergency changes the above mentioned steps will be followed to allow the
fastest possible response while still maintaining the proper levels of approval, monitoring,
communication and documentation of all change related procedure
Responsibility and Implementation

• System Administrator and Compliance Officer will be responsible for implementation of
Change Management Policy and procedures in consultation with Higher Authorities of
the company.
• All Pre Implementation and Post Implementation processes which may be needed for
future reference by the System Department must be documented or noted in Change
Implementation Form and Change Management Log.
• This policy should be periodically reviewed and updated, where and whenever necessary, to
reflect changes in the IT environment of the [ORGANIZATION].
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, penalty and/or
suspension, up to and including termination of employment.
(Attached : Change Management Forms)
1. Change Request Form
2. Change implementation form
3. Change Management Control Log
CHANGE REQUEST FORM

[ORGANIZATION]
Change Request Details
Change Request No: Date:
Requestor Name: Designation:
Department:
Description of Change: Reason for Change:
Initiation Date: Completion Date:

Approval from Other Departments (if any):
Department: Approved By:
Type of Change:
Planned Unplanned Emergency
Associated Risks:
Impact of the Change:

High Medium Low
Personnel Required:
Hardware Required:
Software Required:
Estimated Cost (INR): Signature of

Requestor in full:
Change Approval or Rejection
Change Request Status: Change Scheduled
Approved Rejected
On:
Comments:
Change Change Review

Implementation Assigned To:
Assigned To:
Designation of
Approver:
Signature of Approver
in full:
CHANGE IMPLEMENTATION FORM

[ORGANIZATION]
Change Implementation Form
Change Request No: Date:
Department:
Name of Person Designation:

Implementing Change:
Date of Test of Change Change Tested By:
Implementation:
Description of Test: Test Results:
Comments:
Change Results of Change

Implementation Date: Implementation:
Cost Incurred (INR): Comments:
Signature of Person
Implementing Change
(in full):
Comments of
Reviewer:
Signature of Reviewer
(in full):
CHANGE CONTROL LOG

[ORGANIZATION]
Change Request Requested Requested Department Change Status Date of Change Change Change Change Cost Result Details Signature
Request Date By (Name) By Description (Approved Approval Initiated Implemented Implemented Supervisor Incurred (Success Entered
No. (Designation) /Rejected) / On On By (Amount / By
Rejection in INR) Failure)

IT Security Policies

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

IT Security Policies

Caricato da

Copyright:

Formati disponibili

IT Security Policies

Saltlake Infosolutions Pvt. Ltd.

G-5, Gnd Floor, Koyla Vihar Abhinandan,

Information Technology Security Policies ................................................................................................. 4

Change Management policy

As IT infrastructure at [ORGANIZATION] grows, the dependence on IT Resources increases across

This policy applies to:

• Software upgrades, updates, or additions

General procedures applied to all type of changes:

Planned Change Procedure

The following procedure should be followed in case of a Planned Change:

Unplanned Change Procedure

Emergency Change Procedure

Responsibility and Implementation

(Attached : Change Management Forms)

1. Change Request Form

2. Change implementation form

3. Change Management Control Log

CHANGE REQUEST FORM

Initiation Date: Completion Date:

Impact of the Change:

Estimated Cost (INR): Signature of

Change Change Review

CHANGE IMPLEMENTATION FORM

Name of Person Designation:

Change Results of Change

Cost Incurred (INR): Comments:

CHANGE CONTROL LOG

Potrebbero piacerti anche