Contact us Login
Contact us Login

Security Procedures for the IT Department

Simeon Drage
  • Updated

 

 

1. Purpose, Scope and Users

The purpose of this document is to ensure correct and secure functioning of information and communication technology.

Users of this document are employees of IRIS Connect who work in the IT department. 

 

2. Reference documents

IT Security Policy


3. Security Procedures

3.1 Change management

Each change to operational or production systems must be made in the following way:

  1. change may be proposed by any employee
  2. change must be authorized by their line manager who must assess its justification for business and potential negative security impacts
  3. changes must be implemented by IT team
  4. line manager is responsible for checking that the change has been implemented in accordance with the requirement
  5. Network Manager is responsible for testing and verifying the system's stability – the system must not be put into production before thorough testing has been conducted

Change records are kept within the change management app in Podio.

3.2 Backup

3.2.1 Backup procedure

Backup copies must be created for the O:/ with the frequency of every 2 days.

IT Team is responsible for backing up the information, software and system images. 

Logs of the backup process are automatically created on systems where the backup copy is made.

3.2.2 Testing backup copies

Backup copies and the process of their restoration must be tested at least once every three months by implementing the data restore process on and checking that all data has been successfully recovered.

The Network Manager is responsible for testing backup copies. Records on testing backup copies are kept [describe record form – on paper or in electronic form, if there is a prescribed form, etc.].

3.3 Network security management

The Network Manager is responsible for managing and controlling the computer networks, for ensuring the security of information in networks, and for protecting the services connected to the networks from unauthorized access. It is therefore necessary:

  • to separate the operational responsibility for networks from the responsibility for sensitive applications and other systems
  • to protect sensitive data passing over the public network by [describe the technology used for protection and specify responsibilities and responsible persons]
  • to protect sensitive data passing over wireless networks by [describe the technology used for protection and specify responsibilities and responsible persons]
  • to protect equipment connecting to the network from remote locations by [describe the technology used for protection and specify responsibilities and responsible persons]
  • to segregate traffic coming in from mobile devices, set up unique firewall policies, static routes, Virtual Local Area Networks, etc. 
  • to ensure the availability of network services by [describe controls which will ensure availability]
  • he Network Manager must regularly monitor and test implemented controls

 

3.4 Network services

The IT Team must define security features and the level of expected services for all network services, whether these services are provided in-house or outsourced – such requirements should be documented with service providers. 

If the network services are outsourced, then the requirements must be specified in the agreement with the service provider.

3.5 System monitoring

Based on the risk assessment results, the Network Manager decides which logs will be kept on which systems and for which systems, and how long they will be stored. Logs must be kept for all administrators and system operators on sensitive systems.

The Network Manager is responsible for monitoring the logs of automatically reported faults on a daily basis, as well as to register faults reported by users, to analyse why errors occurred and to take appropriate corrective actions. 

The Network Manager is responsible for regularly reviewing logs in order to monitor the activities of users, administrators and system operators. The review is conducted at intervals prescribed by the Network Manager, who determines and selects the records to be reviewed, and how the implemented review will be recorded. The Operations Director must be informed about the results of the review.

3.6 Password Restrictions

The Network Manager will ensure that password policy enforces or supports the Password Policy set out in the IT Security Policy 4.2 - 4.3. As much as is reasonably practicable, technical controls and policies must shift the burden away from individual users and reduce reliance on them knowing and using good practices.

The Network Manager will ensure all users need to authenticate before granting access to applications or devices, using unique credentials 

3.7 Firewall Changes

In accordance with 5.5 of the IT Security document, firewall rule changes must be approved by a line manager and logged in the IT workspace on Podio. This must be kept up to date and rules that are no longer needed must be removed as soon as possible and the log updated.

3.8 User Account Management

All unnecessary user accounts (e.g. guest accounts and unnecessary administrative accounts) must be removed or disabled on all devices.

Account creation / decommissioning must follow the process set-out in the IT Security Policy, Section 5. The IT team should complete a monthly check to ensure they are no accounts that have been overlooked.

User profiles that are not in day to day use are to be removed from machines after 2 months of non use through Group Policy.  

All accounts on the server are removed when no longer needed, keeping active accounts to a minimum in accordance.

3.9 Hardware and Software Configuration

All new commissioned hardware will have all unnecessary software (including applications, system utilities and network services) removed or disabled during setup by the IT team. The standard approved IRIS Connect software and antivirus and firewall software will be installed by default. 

All new hardware will have default passwords changed following the Password Policy in the IT Security Policy 4.3.

3.10 Special Access Requests

Account creation / decommissioning must follow the process set-out in the IT Security Policy 3.19.

Special access should only be granted if:

  1. A clear reason has been given
  2. A reasonable time frame has been included
  3. There is no reasonable alternative solution
  4. >The request if from a line manager

The IT team should set a reminder to revoke the access at the end of the time period. Requests should be logged in the IT workspace in Podio.

The IT team should complete a monthly check to ensure they are no special access permissions that have been overlooked.

3.11 Software Management 

Approval & Deployment:

The network manager must review and must approve all Software prior to deployment. Any new software that has been approved be added to the approved software register.

Patches:

The Network Manager reviews all patches that are released that contain fixes for vulnerabilities and ensures they are pushed out within 14 days.

For software that cannot be controlled centrally, patches are installed manually by each member of staff upon the Network Manager advisory communication. This is overseen by the department’s manager.

Removal:

Any software that is no longer supported must be removed from the network.

3.12  Admin Account Process  and Controls for Server and Computers

Approval required for the creation of additional admin accounts is required from the Network Manager or Director of Technology

Admin accounts must not be used for day to day work and may only be used for administrative activities such as installing software or making configuration changes.

Powered by Zendesk