Embed Size (px)
Citation preview
INSPIRING BUSINESS INNOVATION
COMPLIANCE POLICY
Version 1.1
Policy Number:
COMPLIANCE POLICY
Page 2/14
1. Table of Contents
1. Table of Contents ........................................................................................................................ 2
2. Property Information .................................................................................................................. 3
3. Document Control ...................................................................................................................... 4
3.1. Information ............................................................................................................ 4
3.2. Revision History ................................................................................................... 4
3.3. Review, Verification and Approval ...................................................................... 4
3.4. Distribution List .................................................................................................... 4
4. Policy Overview ........................................................................................................................... 5
4.1. Purpose ................................................................................................................. 5
4.2. Scope ..................................................................................................................... 5
4.3. Terms and Definitions .......................................................................................... 5
4.4. Change, Review and Update ............................................................................... 7
4.5. Enforcement / Compliance .................................................................................. 7
4.6. Waiver .................................................................................................................... 7
4.7. Roles and Responsibilities (RACI Matrix) ............................................................ 8
4.8. Relevant Documents ............................................................................................ 9
4.9. Ownership ........................................................................................................... 10
5. Policy Statements ...................................................................................................................... 11
5.1. Identification of Applicable Legislation and Contractual Requirements ....... 11
5.2. Intellectual Property Rights ............................................................................... 12
5.3. Protection of Records ........................................................................................ 13
5.4. Privacy and Protection of Personally Identifiable Information ....................... 13
5.5. Regulation of Cryptographic Controls ............................................................. 13
5.6. Independent Review of Information Security ................................................... 14
5.7. Compliance with Security Policies and Standards.......................................... 14
5.8. Technical Compliance Review .......................................................................... 14
COMPLIANCE POLICY
Page 3/14
2. Property Information
This document is the property information of Imam Abdulrahman bin Faisal University - ICT
Deanship. The content of this document is Confidential and intended only for the valid recipients.
This document is not to be distributed, disclosed, published or copied without ICT Deanship written
permission.
COMPLIANCE POLICY
Page 4/14
3. Document Control
3.1. Information
Title Classification Version Status
COMPLIANCE POLICY Confidential 1.0 validated
3.2. Revision History
Version Author(s) Issue Date Changes
0.1 Alaa Alaiwah - Devoteam November 18, 2014 Creation
0.2 Nabeel Albahbooh - Devoteam December 1, 2014 Update
0.3 Osama Al Omari – Devoteam December, 23rd,2014 QA
1.1 Muneeb Ahmad – ICT, IAU 24 April 2017 Update
3.3. Review, Verification and Approval
Name Title Date
Lamia Abdullah Aljafari Quality Director
Dr. Saad Al-Amri Dean of ICT
3.4. Distribution List
Copy # Recipients Location
COMPLIANCE POLICY
Page 5/14
4. Policy Overview
This section describes and details the purpose, scope, terms and definitions, change, review and update,
enforcement / compliance, wavier, roles and responsibilities, relevant documents and ownership.
4.1. Purpose
The main purpose of Compliance Policy is to:
Avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and
of any security requirements.
4.2. Scope
The policy statements written in this document are applicable to all IAU’s resources at all levels of sensitivity;
including:
All full-time, part-time and temporary staff employed by, or working for or on behalf of IAU.
Students studying at IAU.
Contractors and consultants working for or on behalf of IAU.
All other individuals and groups who have been granted access to IAU’s ICT systems and
information.
This policy covers all information assets defined in the Risk Assessment Scope Document and will be used as a
foundation for information security management.
4.3. Terms and Definitions
Table 11 provides definitions of the common terms used in this document.
Term Definition
Accountability A security principle indicating that individuals should be able to be
identified and to be held responsible for their actions.
Asset Information that has value to the organization such as forms, media,
COMPLIANCE POLICY
Page 6/14
networks, hardware, software and information system.
Availability The state of an asset or a service of being accessible and usable
upon demand by an authorized entity.
Confidentiality An asset or a service is not made available or disclosed to
unauthorized individuals, entities or processes.
Control
A means of managing risk, including policies, procedures, and
guidelines which can be of administrative, technical, management or
legal nature.
Guideline A description that clarifies what should be done and how, to achieve
the objectives set out in policies.
Information Security
The preservation of confidentiality, integrity, and availability of
information. Additionally, other properties such as authenticity,
accountability, non-repudiation and reliability can also be involved.
Integrity Maintaining and assuring the accuracy and consistency of asset over
its entire life-cycle.
Intellectual Property
The category of intangible (non-physical) property consisting
primarily of rights related to copyrighted materials, trademark,
patent and industrial design.
Owner
A person or group of people who have been identified by
Management as having responsibility for the maintenance of the
confidentiality, availability and integrity of an asset. The Owner may
change during the lifecycle of the asset.
Policy
A plan of action to guide decisions and actions. The policy process
includes the identification of different alternatives such as programs
or spending priorities, and choosing among them on the basis of the
impact they will have.
Privacy The right of an individual to be secure from unauthorized disclosure
of information about oneself that is contained in documents.
Risk A combination of the consequences of an event (including changes
in circumstances) and the associated likelihood of occurrence.
Supplier A party that provides equipment or services.
System
An equipment or interconnected system or subsystems of
equipment that is used in the acquisition, storage, manipulation,
management, control, display, switching, interchange, transmission
or reception of data and that includes computer software, firmware
COMPLIANCE POLICY
Page 7/14
and hardware. Table 1: Terms and Definitions
4.4. Change, Review and Update
This policy should be reviewed once every year unless the owner considers an earlier review necessary to
ensure that the policy remains current. Changes of this policy should be exclusively performed by the
Information Security Officer and approved by Management. A change log should be kept current and be
updated as soon as any change has been made.
4.5. Enforcement / Compliance
Compliance with the statements of this policy is mandatory and it is a matter of periodic review by
Information Security Officer. All IAU units (Deanship, Department, College, Section and Center) should
ensure continuous compliance monitoring within their area.
In case of ignoring or violating information security directives, IAU’s environment could be harmed (e.g., loss
of trust and reputation, operational disruptions or legal violations), for which the fallible persons will be made
responsible resulting in disciplinary or corrective actions (e.g., dismissal) and could face legal investigations. A
correct and fair treatment of employees who are under suspicion of violating security directives (e.g.,
disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human
Resources Department have to be informed and deal with the handling of policy violations.
4.6. Waiver
Information security should consider exceptions on an individual basis. For an exception to be approved, a
business case outlining the logic behind the request should accompany the request. Exceptions to the policy
compliance requirement should be authorized by the Information Security Officer and approved by the ICT
Director. Each waiver request should include justification and benefits attributed to the waiver.
The policy waiver period has maximum period of 4 months, and should be reassessed and re-approved, if
necessary for maximum three consecutive terms. No policy should be provided waiver for more than three
consecutive terms.
COMPLIANCE POLICY
Page 8/14
4.7. Roles and Responsibilities (RACI Matrix)
Table 1 shows the RACI matrix1 that identifies who is responsible, accountable, consulted or informed for
every task that needs to be performed.
There are a couple of roles involved in this policy respectively: Management, ICT Operations Manager, ICT
Deanship, Information Security Officer (ISO), Legal Department, Human Resources Department /
Administrative Unit (HR/A), Internal/External Auditor, Owner and User (Employee and Contract).
Roles
Responsibilities
Mgt. Opr.
Mgr. ICT ISO Legal
HR/
A Auditor User
Performing compliance checking and audit
for verifying compliance with IAU’s
information security policies.
I
R,C R,A
Assisting an external independent audit team
to conduct information security audits of
IAU’s systems in a periodically basis.
I
R,C R,A
Implementing appropriate controls to
protect the confidentiality, integrity and
authenticity of sensitive information.
I
R,A C
Conducting an internal audit of IAU’s critical
systems using appropriate audit tools. I
R,A R,C
Ensuring that information security policies
are compliant with IAU’s legal and
contractual requirement.
I
R C R I
Providing the expert legal advice that is
necessary for other departments to provide
services in a manner that is fully compliant
with existing laws and regulations.
I
R C R
Distributing information security documents
so that those who need such documents have
copies or can readily locate the documents
via an intranet site.
I
C R,A R,C I
Adhering to information security policies,
guidelines and procedures pertaining to the
protection of information.
C C C R,A,I
Reporting actual or suspected security
incidents to ICT Deanship. I
A,C C R
Accepting accountability for all activities
associated with the use access privileges. I
A,C C R
1 The responsibility assignment RACI matrix describes the participation by various roles in completing tasks for a business process. It is
especially useful in clarifying roles and responsibilities in cross-functional/departmental processes. R stands for Responsible who performs
a task, A stands for Accountable (or Approver) who sings off (approves) on a task that a responsible performs, C stands for Consulted (or
Consul) who provide opinions, and I stands for Informed who is kept up-to-date on task progress.
COMPLIANCE POLICY
Page 9/14
Roles
Responsibilities
Mgt. Opr.
Mgr. ICT ISO Legal
HR/
A Auditor User
Using the information only for the purpose
intended by IAU. I
A,C C R
Managing all information security auditing
activities.
Developing the annual audit plan. C, I I C, I R,A
Reporting audit findings to the ICT
Operations Manager. C, I I C, I R,A
Ensuring compliance with the information
security practices, policies and procedures. C, I I C, I R,A
Monitoring the compliance with the
information security policies, procedures,
guidelines and standards along with external
chosen standards.
C, I I C, I R,A
Table 1: Assigned Roles and Responsibilities based on RACI Matrix
4.8. Relevant Documents
The followings are all relevant policies and procedures to this policy:
Information Security Policy
Organization of Information Security Policy
Human Resource Security Policy
Asset Management Policy
Access Control Policy
Cryptography Policy
Physical and Environmental Security Policy
Operations Security Policy
Communications Security Policy
System Acquisition, Development and Maintenance Policy
Supplier Relationships Policy
Information Security Incident Management Policy
Information Security Aspects of Business Continuity Policy
Risk Management Policy
COMPLIANCE POLICY
Page 10/14
Acceptable Usage Policy
Asset Classification Procedure
Change Management Procedure
Patch Management Procedure
Risk Management Procedure
Information Security Incident Handling Procedure
Physical and Logical Access Control Procedure
Human Resource Security Procedure
Backup and Restoration Procedure
System Acquisition, Development and Maintenance Procedure
4.9. Ownership
This document is owned and maintained by the ICT Deanship of University of Imam Abdulrahman bin Faisal.
COMPLIANCE POLICY
Page 11/14
5. Policy Statements
The following subsections present the policy statements in 8 main aspects:
Identification of Applicable Legislation and Contractual Requirements
Intellectual Property Rights
Protection of Records
Privacy and Protection of Personally Identifiable Information
Regulation of Cryptographic Controls
Independent Review of Information Security
Compliance with Security Policies and Standards
Technical Compliance Review
5.1. Identification of Applicable Legislation and
Contractual Requirements
1. ICT Deanship in cooperation with Human Resources Department / Administrative Unit should
identify and analyze all applicable statutory, regulatory, legal and contractual requirements applied,
and take the appropriate measures to comply with them. The following areas should be covered:
a. Relevant standards and guidelines pertaining to IAU’s systems.
b. Relevant government and/or external requirements (i.e., laws, legislation, guidelines,
regulations and standards) pertaining to external relationships and external requirements
reviews.
c. Labour laws, especially addressing information technology related safety and health
requirements.
d. Intellectual property rights/software copyright laws.
e. Systems security requirements, especially relating to use of cryptographic data and
transmission of data.
f. Audit reports from external auditors, third-party service providers and government agencies.
COMPLIANCE POLICY
Page 12/14
2. The design, operation, management and use of systems and related facilities should be carried out in
compliance with all applicable legal, regulatory or contractual security requirements.
REF:[ISO/IEC 27001: A.18.1.1]
5.2. Intellectual Property Rights
1. ICT Deanship should recognize and respect intellectual property rights (that include software or
document copyright, design rights, trademarks, patents and source code licenses) associated with its
systems.
2. Appropriate procedures should be implemented to ensure compliance with legislative, regulatory,
and contractual requirements on the use of material in respect of which there may be intellectual
property rights and on the use of proprietary software products such as copyright, design rights and
trademarks.
3. ICT Deanship should comply with following requirements:
a. Purchasing and issuing all software used in accordance with the license agreements.
b. Not engaging person or entity in any unauthorized copying of software.
c. Maintaining evidence of licenses or manuals ownership.
d. Identifying all licensing requirements limiting the usage of products, software, designs and
other material acquired.
e. All employees using information systems should strictly abide by copyright laws and
restrictions detailed by the software vendor;
f. Not duplicating third party materials, converting them to another format or extracting them
from commercial recordings (e.g., video and audio) other than permitted by copyright policy.
g. Establishing a documented policy that defines the appropriate approach for disposing or
transferring software.
REF: [ISO/IEC 27001: A.18.1.2]
COMPLIANCE POLICY
Page 13/14
5.3. Protection of Records
1. A documented set of procedures should be in place to define the records’ classification methods, in
addition to the appropriate protection controls for these records from loss, destruction and
falsification.
2. ICT Deanship should consider the followings to ensure a proper protection of records:
a. Protecting records based on the relevance and importance of the records.
b. Storing records in a manner appropriate to the media on which they are recorded.
c. Categorizing records into various types (e.g., employee records, systems records, database
records, audit logs and operational procedures), each with details of retention periods and
type of storage media (e.g., paper, magnetic and optical).
REF: [ISO/IEC 27001: A.18.1.3]
5.4. Privacy and Protection of Personally Identifiable
Information
1. ICT Deanship should develop and implement data protection and privacy policy that defines the
requirements in relevant laws, regulations and contractual requirements of IAU.
2. No employee of IAU should share confidential or proprietary of IAU or employees’ data, with other
entities, agencies, third parties or business units unless they granted permission to share such
information and based on IAU’s business requirements.
REF:[ISO/IEC 27001: A.18.1.4]
5.5. Regulation of Cryptographic Controls
1. Where appropriate, all cryptographic controls (e.g., restriction on import or export of computer
hardware and software for performing cryptographic functions) should be used in compliance with
all related regulations, laws and agreements.
REF: [ISO/IEC 27001: A.18.1.5]
COMPLIANCE POLICY
Page 14/14
5.6. Independent Review of Information Security
1. IAU’s Management should initiate and assign an internal and independent review (e.g., internal and
external audit, technical compliance checking) of information security management.
2. An internal and independent review of should be periodically conducted (at least annually):
a. Following a review of the information security policy.
b. When significant changes have been made to IAU’s information resources or technological
infrastructures.
c. In the event of a change IAU’s requirements or legal context.
3. An internal and independent review of information security should be conducted in order to verify if
the approach (e.g., tracking of information security objectives, policies, procedures and processes
relating to information security) retained by ICT Deanship to manage and implement its information
security is adequate and effective.
REF: [ISO/IEC 27001: A.18.2.1]
5.7. Compliance with Security Policies and Standards
1. All IAU’s employees should understand and acknowledge the responsibility towards complying with
IAU’s information security policies and procedures.
2. Head of Departments / Units / Managers should regularly review the compliance of systems security
within their area of responsibility with the appropriate security policies, standards and any other
security requirements. Results of reviews and corrective actions carried out by Managers should be
recorded and maintained.
REF: [ISO/IEC 27001: A.18.2.2]
5.8. Technical Compliance Review
1. Audit requirements and activities covering checks on operational systems should be carefully planned
and performed at periodic intervals (at least annually) with the knowledge of the Asset Owners to
minimize the risk of disruptions to business processes.
COMPLIANCE POLICY
Page 15/14
2. Where system audits require access to the system or data that includes the use of software tools
and utilities, such audits should be conducted with the knowledge, cooperation and consent of the
Asset Owners and relevant precautions should be taken to protect IAU’s systems and data from
damage or disruptions as a result of the audit or audit tools.
3. Information Security Officer in cooperation with ICT Deanship should conduct both internal and
independent (external) audits of its IAU’s systems. The person(s) carrying out the audit should be
independent of the activities audited. When performing the audit, any access needed should be
provided to members of External Audit Team. This access may include, but not be limited to:
a. User level and/or system level access to any computing or communications device.
b. Access to information (e.g., electronic or hardcopy) that may be produced, transmitted or
stored on respective department equipment or premises.
c. Access to working areas (e.g., Datacenter).
d. Access to reports / documents created during internal audit.
e. Access to interactively monitor and log traffic on networks.
REF: [ISO/IEC 27001: A.15.2.3]
-------------------------------------------------------- End of Document -------------------------------------------------
