Go to main Enterprise Ireland site
 
Advanced Search
 
 
 

 
 
 
Key Messages
How-To Guides
Case Studies
Assessment Tools
Solutions Providers
Library
Advanced How To Guides

Internal IT Security Policy and Procedures

Sample Policy Document
ACCESS TO DATA

Emergency file updates
  • Where emergency changes are made to production files or software, these changes must be authorised by line management. The resulting audit trail must be retained.
Auditing and Monitoring
  • All application systems that handle sensitive "Company Name" information must generate logs that show additions, modifications, and deletions to such sensitive information.

  • Operating systems handling sensitive, valuable, or critical information must securely log all significant IT security relevant events.

  • Security reports and audit trails must be reviewed on a regular basis and all violations accounted for.

  • All login screens must include a warning against unauthorised use of "Company Name's" computer systems and a notification of "Company Name's" right to monitor user activity.
Logical access controls
  • The use of privileged accounts (e.g. administrator) must be restricted to authorised personnel only. The passwords must be held securely and their use will be recorded and checked on a regular basis.

  • When end-users have logged in, they should be restricted to menus that show the options that they have been authorised to select. End-users must not be allowed to invoke operating system level commands.
PC and NOTEBOOK SECURITY

Computer Viruses
  • Virus checking must be performed by the IT Department on all software prior to installation or distribution within "Company Name"

  • Virus checking software must be installed on all "Company Name's" PCs and notebook computers and must be automatically executed at system start-up.

  • PCs and notebooks must be updated with virus signature files on a (insert relevant timescale for your company e.g. daily/weekly etc. basis.

  • Servers must be updated with virus signature files on a (insert relevant timescale for your company e.g. daily/weekly etc. basis.)
TELECOMMUNICATIONS

Remote Access
  • All inbound and outbound communications to Company Name's" private network must be routed through the Demilitarised Zone (DMZ).

  • Where dial-up communications are used, "Company Name's" identity i.e. name or logo must not be revealed until all security validations have been successfully established.
<<<Previous Start of Guide Next>>>


Legal | Contact | Sitemap
National Development Plan The Programmes of Enterprise Ireland are co-funded by EU Structural Funds