Go to main Enterprise Ireland site
 
Advanced Search
 
 
 

 
 
 
Key Messages
How-To Guides
Case Studies
Assessment Tools
Solutions Providers
Library
Advanced How To Guides

Internal IT Security Policy and Procedures

Sample Policy Document
SOFTWARE

Change Control
  • All alterations to system and application software must follow strict change control procedures to ensure the integrity of "Company Name" 's computer systems. For major changes this should include:
    • Authorisation of request for change;
    • Risk assessment of change;
    • User Acceptance Testing;
    • Relevant management sign-off;
    • IT Security sign-off;
    • Roll-back procedures in the event that the change failed; and
    • Documentation of the above.

  • Software development and testing must be carried out on a separate server from the live environment.

  • Adequate controls should be in place over any test data that is used in the testing process, as this data quite often is a mirror of live data.
PHYSICAL SECURITY

The following standards must be applied to (Insert relevant locations for your company)". e.g. Computer Room Access
  • Access to the Computer Operations rooms must be restricted to authorised personnel only.

  • Third parties who have been granted access to the Computer Operations rooms must be accompanied at all times by authorised personnel.

  • Access to the Computer Operations rooms must be controlled by a physical access control mechanism such as an electronic or combination lock.
Fire detection/prevention
  • The Computer Rooms must be fitted with smoke/fire detectors and fire extinguishing equipment, which should be set to automatic operation when the computer room is left unattended for long periods.

  • Fire detection and prevention equipment must be tested at least twice a year.
UPS/Backup Generator
  • Each production server must have a UPS installed to protect against power surges.

  • The UPS and generator must be tested every x months.
Control of Computer Media and Documentation
  • Computer media e.g. tapes and documentation must be stored securely, e.g. in locked cabinets, when not in use.

  • Magnetic media that is no longer required and which may contain confidential data must be disposed of securely, i.e. all data must be erased or the media must be rendered inoperable.

  • Back-ups of sensitive, critical, and valuable information must be stored in an access-controlled site.
Business Continuity Planning
  • The IT Department/relevant IT resource is responsible for business continuity planning for IT systems. The business continuity plan must be fully documented, maintained and tested on a regular basis.

  • The IT Department/relevant IT resource must make (insert frequency e.g. daily) backups of the main servers for which they are responsible for managing. These backups must be stored off-site for ease of access or should the computer room become inaccessible. The media should be tested for recovery purposes on a regular basis.
<<<Previous Start of Guide Next>>>


Legal | Contact | Sitemap
National Development Plan The Programmes of Enterprise Ireland are co-funded by EU Structural Funds