21
NDMA ICT POLICY TRAINING PRESENTATION February, 2015 BY: Fredr!" B##a M$!, B$!, CISA

NDMA Presentation - 2

Embed Size (px)

DESCRIPTION

n nmbnbnmbbb n bnbmb nmb bnbnbnbnbnn nb n bnb nbn

Citation preview

  • NDMA ICT POLICY TRAINING PRESENTATIONFebruary, 2015 BY: Fredrick Bitta Msc, Bsc, CISA

  • *Contents Backup policy 6Network Policy 10Change Management Policy 3Access Control Policy 8Commercial Software Policy 12In-House Software Policy 13Hardware Policy 15Cybercrime Policy 18 Premises & Other Related Considerations 19Q & A 20

  • *

    ICT Policy Session II

  • *Purpose & Scope :IT Change Management is the process of requesting, analyzing, approving, developing, implementing, and reviewing a planned or unplanned change within the IT Infrastructure including the IT Processes, Operating and Application Systems.The CM begins with the creation of a Request for Change (RFC). It ends with the satisfactory implementation of the change and the communication of the result of that change to all interested parties. The policy covers all planned and unplanned changes affecting the NDMAs information resources.Key Areas Covered:Change Management Process: All emergency and unscheduled (unplanned) changes shall be documented once the changes have been effected. The change shall first be identified and classified as emergency.There shall be a formal independent testing process before changes are implementedAll incidences must be logged and a report submitted to the IT helpdesk for record. All changes while adhering to the defined process shall be requested through the request for change control form.All modification to the hardware, firmware, software and related systems shall be performed in such a manner as to ensure continuity of the services supported by the system.Changes to the live (operating) environment that may disrupt services shall as far as possible be done outside business hours and shall ensure minimum disruption to dependent services.

    ICT Policy Change Management policy

  • *

    Key Areas Covered:Change Management Process: The business supporting function (within IT) shall implement the change. The responsibility for the change in the IT environment (while maintaining segregation of duties) rests with the manager IT.Project Team (PT) shall be appointed by management to oversee the implementation of major changes in the IT environment. Staff shall ensure that contractors and other service providers work affecting information resource adhere to this policy and in accordance to the contractual agreements with NDMA. All contracts should refer to this policy explicitly.Stake holders to be affected directly or indirectly by the change should be informed through communication by the IT manager at least one day before the change

    ICT Policy Change Management policy

  • *Purpose & ScopeThe purpose of this policy is to define the process of data storage for protection and integrity of NDMAs data. The policy covers all system users data stored in the workstations, laptops, servers and other portable devices.Key Areas Covered:Background: Computer systems do fail; it is not a matter of why or how, but a matter of when. Several external factors, of which NDMA is not in control, can cause occasional or severe problems to the systems; computer crashing, natural disasters such as flood or lightning to man-made disasters etc. Loss of information could cause severe downtime resulting in: lost production, delay of NDMAs operations, wasted time in recreation effort, legal liabilities, deterioration in customer relationships, reputation among othersBackup Process: This procedure applies to all equipment and data owned and operated by NDMA. The backups of the main storage server shall be run nightly, after business hours, to make sure that all files are closed and available for backup. Incremental backups shall be done on the primary storage server each night Monday through Thursday and Full Backup done on Fridays. At the end of the month, full backups shall be done to a separate series of tapes and labeled with End of month, year. At the end of the year, full backups shall be done to another separate series of tapes and labeled with End of year. Backups are to be complete prior to beginning of next business day.ICT Policy Backup policy

  • *

    Key Areas Covered:Backup Process:. Full backups and End of the month backups shall be taken to an offsite location determined by management for storage.IT management shall determine other backup mechanisms such replication of data to offsite locations e.g the Government Datacenter and Cloud-based data backup mechanisms based on the need, cost benefit analysis, efficiency and as long as the security of data is guaranteed. This shall form part of the Disaster Recovery PlanResponsibilities: All staff shall be responsible to backup their work to the central server.The IT department is responsible for setting backup schedules, changing removable tapes, monitoring the success / failure of the backups, rerunning the backup procedure if required, logging the backup results in the yearly tape backup document and storing the backup tapes according to daily, weekly, monthly, and yearly. The IT department is also responsible for data restores of deleted/misplaced/corrupt data files at the request of the owner. All requests for restore shall be sent through the IT helpdeskICT Policy Backup policy

  • *Purpose & ScopeThis policy defines access controls to Information & Systems within NDMA. It covers access to the Operating Systems as well as access privileges granted to third parties. It further defines information ownership and access privileges to both internal & external users. It is the responsibility of IT management to ensure compliance to this policyKey Areas Covered:Managing Access Control Standards: Access control standards for information systems shall be established in a manner that carefully balances restrictions to prevent unauthorized access against the need to provide unhindered access in accordance with the needs of the businessManaging User Access: Access to all systems shall be authorized by the nominated owner of that system and such access, including the appropriate access rights (or privileges) shall be recorded in an Access Control ListSecuring Unattended Workstations: Equipment is always to be safeguarded appropriately with password protected screen savers especially when left unattendedManaging Network Access Controls: Access to the resources on the network shall be strictly controlled to prevent unauthorized access. Access to all computing and information systems and peripherals shall be restricted unless explicitly authorizedControlling Access to Operating System Software Access to operating system commands shall be restricted to those persons who are authorized to perform systems administration functions. Such access shall be operated under dual control requiring the specific approval of senior management

    ICT Policy Access Control Policy

  • *Key Areas Covered:Securing Against Unauthorized Physical Access: Physical access to high security areas shall be controlled with strong identification and authentication techniques. Staff with authorization to enter such areas shall be provided with information on the potential security risks involvedMonitoring System Access and Use: Access is to be logged and monitored to identify potential misuse of systems or informationTypes of Access Granted to Third Parties: Access to systems, networks and information shall only be granted to third parties in controlled circumstances and shall be approved based on the type of accessManagement Duties: Management has individual and collective responsibility to ensure third parties adhere to approved information security proceduresThird Party Service Management : Service level management concepts shall be applied to all deliveries of services from third party. This will require third parties to meet all security and service controls, service definitions and agreed service levelsMonitoring Third Party Services: Third party services shall be governed through service level agreements and service levels are to be monitored on an ongoing basis and penalty clauses invoked as appropriate.Third Party Service Changes: Any changes that are to be made to services provided by third parties shall be agreed prior to the changes taking place and the service level agreements amended accordingly

    ICT Policy Access Control Policy

  • *Purpose & ScopeThis policy defines how the NDMA network shall be configured and managed including the kind of personnel assigned this responsibility. It is the duty of IT management to ensure adherence to this policyKey Areas Covered:Network configuration: The network shall be designed and configured to deliver high performance and reliability to meet the needs of the business whilst providing a high degree of access control and a range of privilege restrictionsNetwork management: ICT staff shall manage the NDMAs network, and preserve its integrity in collaboration with the nominated individual system ownersTime-out facility: A time-out facility shall be provided covering all terminals and PCs to ensure that the screens are cleared and unauthorized access is prevented after a minimum time of inactivity.Appointing system administrators: NDMAs systems shall be managed by suitably qualified systems administrators who are responsible for overseeing the day to day running and security of the systemsResponding to system faults Only qualified and authorized staff or approved third party technicians may repair information system hardware faults.Administrating Systems: System Administrators shall be fully trained and have adequate experience in the wide range of systems and platforms used by the organization. In addition, they shall be knowledgeable and conversant with the range of Information Security risks which need to be managed.ICT Policy Network Management policy

  • *Key Areas Covered:Accessing your Network Remotely: Remote access to the NDMAs network and resources shall only be permitted provided that authorized users are authenticated, data is encrypted across the network, and privileges are restrictedDefending your Network Information from Malicious Attack: System hardware, operating and application software, the networks and communication systems shall all be adequately configured and safeguarded against both physical attack and unauthorized network intrusionManaging System Documentation: All documentation shall be kept up-to-date and be availableMonitoring Error Logs: Error logs must be properly reviewed and managed by qualified staffScheduling Changes to Routine Systems Operations: Changes to routine systems operations shall be fully tested and approved before being implemented.ICT Policy Network Management policy

  • *Purpose & ScopeThe purpose of this policy is to guide in the acquisition of commercial software that meets the user requirements and ensure compliance with legislation on software licensingKey Areas Covered:Specifying user requirements: All requests for new applications systems or software enhancements shall be presented to senior management with a Business Case with the business requirements presented in a User Requirements Specification documentSelecting Business Software Packages: The selection process for all new business software shall incorporate the criteria upon which the selection will be made. Such criteria shall receive the approval of senior management.Using Licensed Software: To comply with legislation and to ensure ongoing vendor support, the terms and conditions of all End User License Agreements shall be strictly adhered toApplying Patches to Software: Patches to resolve software bugs may only be applied where verified as necessary and with management authorization. They must be from a reputable source and are to be thoroughly tested before use Disposing of Software: The disposal of software should only take place when it is formerly agreed that the system is no longer required and that its associated data files which may be archived will not require restoration at a future date.

    ICT Policy Purchasing & Maintaining Commercial Software

  • *Purpose & ScopeThe purpose of this policy is to guide in the development process of an in-house software for NDMA. It governs the software development process and incorporates software quality assurance measures so that the final product meets user needs. The business owners shall ensure compliance to this policy when developing in-house software.Key Areas Covered:Controlling Software Code : Formal change control procedures shall be utilized for all changes to systems. All changes to programs shall be properly authorized and tested before moving to the live environmentControlling Program Source Libraries: Formal change control procedures with comprehensive audit trails are to be used to control Program Source Libraries.Software Development: Software developed for or by the organization shall always follow a formalized development process which itself is managed under the project in question. The integrity of the NDMAs operational software code shall be safeguarded using a combination of technical access controls and restricted privilege allocation and robust proceduresSeparating Systems Development and Operations: Management shall ensure that proper segregation of duties applies to all areas dealing with systems development, systems operations, or systems administration.Controlling Test Environments: Formal change control procedures shall be employed for all amendments to systems. All changes to programs must be properly authorized and tested in a test environment before moving to the live environment.ICT Policy Developing & Maintaining In-house Software

  • *Key Areas Covered:Making Emergency Amendments to Software : Emergency amendments to software shall be discouraged, except in circumstances previously designated by management as 'critical'. Any such amendments shall strictly follow agreed change control proceduresManaging Change Control Procedures: Formal change control procedures shall be utilized for all amendments to systems. All changes to programs shall be properly authorized and tested in a test environment before moving to the live environmentTesting Software before Transferring to a Live Environment: Formal change control procedures shall be utilized for all amendments to systems. All changes to programs shall be properly authorized and tested in a test environment before moving to the live environmentCapacity Planning and Testing of New Systems: New systems must be tested for capacity, peak loading and stress testing. They must demonstrate a level of performance and resilience which meets or exceeds the technical and business needs and requirements of the organizationDocumenting New and Enhanced Systems:. All new and enhanced systems shall be fully supported at all times by comprehensive and up to date documentationICT Policy Developing & Maintaining In-house Software

  • *Purpose & ScopeThis policy shall govern the acquisition, installation, maintenance and disposal of IT hardware and related peripherals. The IT committee of the Board, IT steering committee and IT management shall ensure compliance to this policyKey Areas Covered :Specifying New Hardware Requirements: All purchases of new systems hardware or new components for existing systems shall be made in accordance with the Public Procurement Act, as well as technical standards. Such requests to purchase shall be based upon a User Requirements Specification document and take account of longer term NDMA business needs. The user requirements specification document shall originate from the user department and this shall be evaluated by a technical team appointed by management. Based on the cost benefit analysis and value of the equipment to be purchased, the Public Procurement rules shall apply; either direct procurement, single sourcing or competitive bidding. The IT steering committee shall determine the mode of procurement and get approval from the IT committee of the Board. The process of procurement at all times shall be in accordance with the Public Procurement ActInstalling New Hardware: All new hardware installations shall be planned formally and notified to all interested parties ahead of the proposed installation date. ICT requirements for new installations are to be circulated for comment to all interested parties, well in advance of installation

    ICT Policy Securing Hardware, Peripherals & other Equipment's

  • *

    Key Areas Covered:Testing Systems and Equipment: All equipment shall be fully and comprehensively tested and formally accepted by users before being transferred to the live environmentSupplying Continuous Power to Critical Equipment: An Uninterruptible Power Supply shall be installed to ensure the continuity of services during power outagesManaging and Maintaining Backup Power Generators: Secondary and backup power generators shall be employed where necessary to ensure the continuity of services during power outagesInstalling and Maintaining Network Cabling: Network cabling shall be installed and maintained by qualified engineers to ensure the integrity of both the cabling and the wall mounted sockets. Any unused network wall sockets shall be sealed-off and their status formally notedUsing Laptop/Portable Computers: Persons who are issued with portable computers and who intend to travel for business purposes must be made aware of the information security issues relating to portable computing facilities and implement the appropriate safeguards to minimize the risksMaintaining a Hardware Inventory or Register: A formal Hardware Inventory of all equipment shall be maintained and kept up to date at all times

    ICT Policy Securing Hardware, Peripherals & other Equipment's

  • *

    Key Areas Covered:Disposing of Obsolete Equipment: Equipment owned by the organization shall only be disposed of by authorized personnel who have ensured that the relevant security risks have been mitigated. It shall be the duty of the IT steering committee to come up with procedures on disposal of IT equipment's and this shall be in line with the procurement & disposal act.Insuring Hardware: All computing equipment and other associated hardware belonging NDMA shall carry appropriate insurance cover against hardware theft, damage, or lossTaking Equipment off the Premises: Only authorized personnel are permitted to take equipment belonging to the organization off the premises; they are responsible for its security at all times

    ICT Policy Securing Hardware, Peripherals & other Equipment's

  • *

    Purpose & ScopeThis policy shall govern how to mitigate the threats posed by cybercrime including denial of service attack and virus attack. It is the sole responsibility of IT management to ensure compliance to this policyKey Areas Covered:Defending Against Premeditated Cyber Crime Attacks: Security on the network shall be maintained at the highest levelDefending Against Premeditated Internal Attacks: In order to reduce the incidence and possibility of internal attacks, access control standards and data classification standards shall be periodically reviewed whilst maintained at all timesSafeguarding Against Malicious Denial of Service Attack: Contingency plans for a denial of service attack shall be maintained and periodically tested to ensure adequacy.Defending Against Virus Attacks: Anti Virus software shall be deployed across all PCs with regular virus definition updates and scanning across both servers, PCs and laptop computers

    ICT Policy Combating Cybercrime

  • *Purpose & ScopeThis policy governs the physical protection of computer premises, environmental conditions and other external threats. The policy is alive to the fact that illegal physical access to computers & networks can compromise the integrity of information and lead to loss of computer equipment's as wellKey Areas Covered:Securing Physical Protection of Computer Premises: Computer premises shall be safeguarded against unlawful and unauthorized physical intrusionEnsuring Suitable Enviromental Conditions: When locating computers and other hardware, suitable precautions shall be taken to guard against the environmental threats of fire, flood and excessive ambient temperature and humidityPhysical Access Control to Secure Areas: All computer premises shall be protected from unauthorized access using an appropriate balance between simple ID cards to more complex technologies to identify, authenticate and monitor all access attemptsElectronic Eavesdropping: Electronic eavesdropping shall be guarded against by using suitable detection mechanisms, which shall be deployed if and when justified by the periodic risk assessments of the organizationDisaster Recovery Plan: Owners of the NDMAs information systems shall ensure that disaster recovery plans for their systems are developed, tested, and implementedCabling Security: The security of network cabling shall be reviewed during any upgrades or changes to hardware or premises

    ICT Policy Physical Security

  • Q & A?

  • Thank You

    **


NDMA Geotech Sitharam August 16 2011

NDMA Geotech Sitharam August 16 2011

Documents
PRESENTATION ON NDMA

PRESENTATION ON NDMA

Documents
NDMA formation mechanism by chloramination of tertiary amines

NDMA formation mechanism by chloramination of tertiary amines

Documents
Study Report on - Home | NDMA, GoI

Study Report on - Home | NDMA, GoI

Documents
NDMA Guidelines on the Flood - Naresh Kadyan

NDMA Guidelines on the Flood - Naresh Kadyan

Documents
N-Nitrosodimethylamine (NDMA) as a Drinking Water Contaminant

N-Nitrosodimethylamine (NDMA) as a Drinking Water Contaminant

Documents
NDMA Q3 2012

NDMA Q3 2012

Documents
Finding NDMA Precursors Using Accurate Mass Tools · PDF fileFinding NDMA Precursors Using Accurate Mass Tools with ... controlled using ... Finding NDMA precursors using accurate

Finding NDMA Precursors Using Accurate Mass Tools · PDF fileFinding NDMA Precursors Using Accurate Mass Tools with ... controlled using ... Finding NDMA precursors using accurate

Documents
NDMA, PM Sectt, Islamabad 1 1 PREPAREDNESS IN PAKISTAN POST 2005 EARTHQUAKE LT GEN (R) FAROOQ AHMAD KHAN, CHAIRMAN, NDMA

NDMA, PM Sectt, Islamabad 1 1 PREPAREDNESS IN PAKISTAN POST 2005 EARTHQUAKE LT GEN (R) FAROOQ AHMAD KHAN, CHAIRMAN, NDMA

Documents
Presentation for NDMA Houses about 11.9 Millionbase/programmes/2005-06/bmc.pdf · Presentation for NDMA Mumbai – Urbs Prima in Indis ... BMC Disaster Management Committee ... Response

Presentation for NDMA Houses about 11.9 Millionbase/programmes/2005-06/bmc.pdf · Presentation for NDMA Mumbai – Urbs Prima in Indis ... BMC Disaster Management Committee ... Response

Documents
NDMA Odisha Tender Doc

NDMA Odisha Tender Doc

Documents
NDMA Conference Brochure-IOP · Title: NDMA Conference Brochure-IOP Author: PC7 Created Date: 11/2/2016 1:36:31 PM

NDMA Conference Brochure-IOP · Title: NDMA Conference Brochure-IOP Author: PC7 Created Date: 11/2/2016 1:36:31 PM

Documents
NDMA ROAD AHEAD

NDMA ROAD AHEAD

Documents
Determining NDMA Formation during Disinfection using ...cs229.stanford.edu/proj2016/poster/Szczuka... · CS229 Final Project Fall 2016 Determining NDMA Formation during Disinfection

Determining NDMA Formation during Disinfection using ...cs229.stanford.edu/proj2016/poster/Szczuka... · CS229 Final Project Fall 2016 Determining NDMA Formation during Disinfection

Documents
Determination of NDMA (HS-GC-MS) Public Analyst’s ... · Determination of NDMA (HS-GC-MS) Public Analyst’s Laboratory, Method 3/30-Annex 2 GC-MS Standard Addition Plot Galway,

Determination of NDMA (HS-GC-MS) Public Analyst’s ... · Determination of NDMA (HS-GC-MS) Public Analyst’s Laboratory, Method 3/30-Annex 2 GC-MS Standard Addition Plot Galway,

Documents
NDMA Presentation - 1

NDMA Presentation - 1

Documents
ANNUAL REPORT - Home | NDMA, GoI

ANNUAL REPORT - Home | NDMA, GoI

Documents
UWSRA-tr34 NDMA in Purified Recycled Water

UWSRA-tr34 NDMA in Purified Recycled Water

Documents
NATIONAL DROUGHT MANAGEMENT AUTHORITY · NATIONAL DROUGHT MANAGEMENT AUTHORITY (NDMA) •The National Drought Management Authority (NDMA) is a statutory body established on November

NATIONAL DROUGHT MANAGEMENT AUTHORITY · NATIONAL DROUGHT MANAGEMENT AUTHORITY (NDMA) •The National Drought Management Authority (NDMA) is a statutory body established on November

Documents
NDMA .. CHEMICAL DISASTER GUIDELINES

NDMA .. CHEMICAL DISASTER GUIDELINES

Documents
National Disaster Response Plan (NDRP) - NDMA Pakistan

National Disaster Response Plan (NDRP) - NDMA Pakistan

Documents
Presentation by Mr. C.V. Sankar, NDMA, India Mr. Rajat Sachar, Planning Commission, India April 24, 2009, New York 1

Presentation by Mr. C.V. Sankar, NDMA, India Mr. Rajat Sachar, Planning Commission, India April 24, 2009, New York 1

Documents
Presentation by CC-ICT 9th May, 2012 to NDMA

Presentation by CC-ICT 9th May, 2012 to NDMA

Documents
ERRA-UN - NDMA

ERRA-UN - NDMA

Documents
October 2 020 - NDMA, GoI

October 2 020 - NDMA, GoI

Documents
NDMA CIVIL DEFENCE PART-1 COVER

NDMA CIVIL DEFENCE PART-1 COVER

Documents
NDMA Management of the Drought

NDMA Management of the Drought

Documents
NDMA National Disaster Management Authority Pakistanndma.gov.pk/publications/NDMA 2013 Final.pdf · in Pakistan. Acronyms ADB Asian Development Bank ADPC Asian Disaster Preparedness

NDMA National Disaster Management Authority Pakistanndma.gov.pk/publications/NDMA 2013 Final.pdf · in Pakistan. Acronyms ADB Asian Development Bank ADPC Asian Disaster Preparedness

Documents
Application for NDMA Membership and Chairman, KVIC

Application for NDMA Membership and Chairman, KVIC

Documents
Management Plans Preparation of State Disaster - NDMA

Management Plans Preparation of State Disaster - NDMA

Documents