Abstract An information security policy refers to a set of rules and practices that define how sensitive data and

information of an organization should be managed, protected and distributed within and without that particular organization. There are different aspects of an information security police which include:(i) (ii) (iii) (iv) Labelling of information Modification of information Accountability Ownership

It is important for an organization to classify and identify the senior management and owner of information as all types of information that an organization stores is not equal and therefore require different levels of protection. This security policy therefore defines the authority and delegation of authority for the policies. The rules and responsibilities of each type of user involved in the security policy is clearly defined. The security policy has been developed to ensure data integrity and confidentiality of all computer systems in this organization. Executive summary This regulation has been developed to ensure data integrity and confidentiality of all computer systems at the HMM TECH SECURITY SOLUTIONS. This document provides guidelines for classification of data resources retrieval and dissemination of data by different users in the firm. The policies seeks to ensure that all information technology and telecommunication (IT&T) resources are safe and ensure security measures have been put in place to protect the resources against any form of security breach, damage of data, systems, application equipment and telecommunication. The security policy document also outlines the firms security missions, goals, scope and responsibilities of various users of computers system, discretion and dissemination of client and employee information.

1|Page

POLICY STATEMENT HMM tech security solutions firm has implemented basic security policies and controls that govern end user computing operations, and management has the authority to evaluate the risks associated with end user computing. The purpose of this policy is to establish general guidelines for maintaining an end user computing environment within the firm that is controlled, consistent, and secure and that will enhance the productivity of end users. Information is a critical asset of Hmm tech firm. Accurate, timely, relevant, and properly protected information is essential to the success of the firms. The firm is committed to ensuring all accesses to, uses of, and processing of information is performed in a secure manner. These Information Systems in the firm include all Infrastructure, networks, hardware, and software, which are used to manipulate process, transport or store Information owned by the firm. The main objective of this Information Systems Security Policy and its supporting technical requirements policy is to define the security controls necessary to safeguard the firms Information Systems and ensure the security confidentiality and integrity of the information held. The Policy provides a framework in which security threats to the firms Information Systems can be identified and managed on a risk basis and establishes terms of reference, which are to ensure uniform implementation of Information security controls throughout the firm. HMM firm is aware that failure to implement adequate Information security controls could potentially lead to various problems which is not limited to: Financial loss Irretrievable loss of Important Data Damage to the reputation of HMM tech security solutions firm Legal consequences Therefore measures must be put in place, which will minimise the risk to the firms information from unauthorised modification, destruction or disclosure of data, whether accidental or deliberate. This can only be achieved if all employees, clients and contractors observe the highest standards of ethical, personal and professional conduct. The Information Systems Security Policy and supporting policies apply to all who interact with
2|Page

HMM tech security solutions computer and information system. It is expected that the policies is adhered by all. The HMM tech solutions board has approved the Information Systems Security Policy and other supporting technical policy. The Board has delegated the implementation of the Information Systems Security Policy, to the heads of departments. The Director of Information Systems Services and their delegated agents will enforce the Information Systems security. Objectives of the Information Systems Security Policy and supporting policies Ensure that information is created used and maintained in a secure environment. Ensure that the entire Firms computing facilities, programs, data, network and equipment are adequately protected against loss, misuse or abuse. Ensure that all users are aware of and fully comply with the Policy Statement and the relevant supporting policies and procedures. Create awareness that appropriate security measures must be implemented as part of the effective operation and support of Information Security. Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data they handle. Ensure that all the assets owned by HMM tech secure solutions have an identified owner and that accountability of each owner is observed. End user computing policy and procedure responsibility The board of directors delegates the day-to-day management of the use of microcomputers to the functional managers. They are responsible for ensuring that their employees adhere to the HMM tech solutions policies and procedures. End User Computing Committee The board appoints the trusted members to the end user computing committee. The purpose of this group is to assist the HMM firm management in developing and

3|Page

implementing policies and procedures for the end user computing environment and for reviewing these policies and procedures for feasibility, enforceability, and usability. Information Systems Department The information systems department is responsible for supporting and coordinating the day-to-day operation of the end user computing environment in a manner that is consistent and in compliance with the approved policies and procedures. The information systems department should monitor and review the activities of end users to ensure that they are adhering to the HMM firm policies and procedures. Internal Audit Department The internal audit department is responsible for conducting periodic reviews of the end user computing environment to ensure that policies and procedures are adequate to properly control the environment and that all end users consistently follow these policies and procedures. The internal audit department also has the responsibility to evaluate the level of compliance with the firms end user computing standards, policies, and procedures and to report any discrepancies to the appropriate department manager for correction and enforcement and to the board of directors through the audit committee in their regularly scheduled reports. The internal audit department will be available to management, users, and the end user computing committee to provide input and recommendations in certain circumstances, which includes the following: Purchase of new software Automation of procedures Access control issues Termination of employees Development and testing of systems/procedures Suspicion of fraud or misuse of software and/or hardware Implementation of new controls and/or testing

4|Page

Acquisition of hardware and software The acquisition of all hardware, software, and peripherals must be properly justified and must comply with the firms capital expenditure policies. All acquisitions, installations, and implementations require review and coordination by the information systems department and approval by the appropriate department executive(s). Acquisitions of local area networks (LANs) or more complex systems may require a feasibility study or evaluation prior to the approval of the acquisition. The end user computing committee will determine any additional requirements needed for the acquisition of more complex systems. The purchasing department will acquire all approved microcomputer (PC) hardware and software. The information systems department will maintain a complete inventory of hardware, software, and peripherals. All department systems will be equipped with standardized hardware and software. The end user computing committee will be responsible for reviewing and determining appropriate standardized hardware and software to be used by firm personnel. Licensed Use of Packaged Software HMM tech solutions employees are required to read and comply with commercial software license agreements. Managers must be certain that employees understand that modifying, selling, or duplicating commercial software packages is illegal and expressly against the HMM tech solutions policy. The firm may be held liable for anyone illegally obtaining or copying commercial software. Civil damages for the unauthorized copying or use of software can result into criminal penalties can include fines and imprisonment.

5|Page

Software duplication includes: Making a copy of a software program from the employees hard drive or from a diskette Using the master diskette on an employees home computer when the software is already installed on one of the HMMs computers Installing software that currently resides on an employees home computer on a HMM computer Receiving an upgrade for a software package and installing the version on a different computer The information systems department must review and audit any public domain software (e.g., Internet software) prior to installation on any HMMs computer systems Physical Protection and Security of Hardware/Software Managers in each user area are responsible for proper and adequate physical security and protection of the hardware and software assigned to their departments. Department managers are responsible for developing and implementing appropriate physical security controls and protection of hardware and software and for ensuring compliance with established physical security policies. In addition, department managers are responsible for the following: Ensuring sensitive reports and information are properly safeguarded and disposed of in a proper manner Assessing their departments physical control needs and implementing controls necessary to ensure proper security and protection Monitoring and maintaining control over the use of laptop microcomputers Maintaining inventories of hardware and software and periodically auditing these inventories Securing the work areas housing microcomputers

6|Page

 Assessing the need for locks and keys Establishing proper housekeeping rules Maintaining adequate environmental controls Training users on proper use and care of microcomputers Although ultimate responsibility for the physical protection and security of hardware and software rests with the department manager, each user is responsible for the physical security and protection of his or her own microcomputer. In addition, end users are responsible for the following: Abiding by all housekeeping policies established by management Keeping a maintenance list identifying all maintenance done to their equipment Securing any laptop microcomputer while in their possession Being aware of and reporting any suspicious individuals or activity to management Ensuring that all software is backed up and maintained in a secure area Restricted Access to Data and Software It is the policy of HMM tech secure to protect the processing, storage, and use of data on microcomputers, LANs or wide area network (WAN) systems based on the level of the datas sensitivity and value to the firm. Each department manager will establish and implement proper and adequate access controls to restrict access to data and software. This is to prevent unauthorized access that could result in confidential data being accessed, improper loading of software posing the risk of viruses and use of unauthorized software, and improper downloading of programs and files that could result in unauthorized copying. Misuse of corporate data will be reported to management and the board of directors through appropriate channels. Backup, contingency planning and disaster recovery plan Each department is responsible for identifying and establishing the proper procedures to ensure that hardware, software, and documentation is adequately backed up to ensure timely recovery in the event of a disaster. The department manager will perform a risk

7|Page

assessment of each department to determine the impact that loss of data would have on the firm due to the following reasons: Incorrect management decision Improper disclosure of information Fraud Financial loss Competitive disadvantage Based on the results of the risk assessment, each department manager will be responsible for ensuring that appropriate microcomputer backup procedures are included in each departments respective section of the disaster recovery plan for HMM tech solutions firm. DATA INTEGRITY Each department manager is responsible for implementing security measures and controls to ensure that all data are adequately evaluated, tested, and validated prior to transfer or release. This includes data that reside on microcomputers, LANs, and WANs and are downloaded or uploaded to the mainframe or to another system and those which reside on a microcomputer from which critical business decisions are made and/or financial reporting for the firm is based. Each department is responsible for developing and maintaining a list of all sensitive data and of programs used to process the data. The manager or supervisor of the department is responsible for updating the information and communicating the information to employees. Virus detection software will be installed on each microcomputer in the firm to help ensure that no viruses are introduced into the firms systems. Program Development, Documentation, and Testing All developed software, applications, and programs must be fully tested and adequately documented before becoming part of a system that processes the firms data. Prior to the development of any new software application or program, the end user computing

8|Page

committee will review the request for the new application or program and perform a cost/benefit analysis. Managers are responsible for overseeing new projects and ensuring management control of the development process. Management control will encompass all phases including the initial development phase, development of appropriate data editing controls, proper input/output controls, report design, adequate testing, and documentation. TRAINING AND SUPPORT The board of directors understands that the increase in microcomputer use requires that employees are properly trained and informed on the policies and procedures endorsed by the firm with regard to end user computing. The ability of employees to enter, move around, and leave the firm with ease increases the risk to the firm. Therefore, management and the board plan to address these issues through policies, education, and training of users on security and use of microcomputers. The firm will provide end user computer training to all employees. All users will be trained before they use hardware and software owned by the HMM tech solutions. The training department of the HMM firm is responsible for developing end user training materials and providing information and classes for all employees. Training will cover the firms policies and procedures relating to end user computing. The programs developed will increase employees awareness about microcomputer security risks and vulnerabilities and the appropriate preventive controls. The training department will maintain documentation concerning training of all employees for review by department managers, internal audit, the board of directors, and regulators. The HMM tech solutions firm board of directors approved and adopted this policy on (20 th April 2012)

9|Page

References 1. http://mcs.open.ac.uk/kgw9/interesting/dataprotection.htm [ACCESSED: 20TH APRIL 2012] 2. http://en.wikipedia.org/wiki/Data_Protection_Act_1998 [ACCESSED: 20TH APRIL 2012] 3. http://www.cnss.gov/Assets/pdf/nstissi_4011.pdf [ACCESSED: 20TH APRIL 2012] 4. http://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/5.1.1/adm inistration/guide/C1_Network_Security.pdf[ACCESSED: 20TH APRIL 2012] 5. http://www.stanford.edu/~jurafsky/burszstein_2010_captcha.pdf[ACCESSED: 20TH APRIL 2012]

10 | P a g e