Acceptable Use Policy
Rules for the acceptable use of information and assets associated with information processing facilities.
Additionally covering internet access policy, BYOD policies as part of this.
Antivirus Policy
Detection, prevention and recovery controls to protect against viruses.
Information Classification and Data Policy
Information classification in terms of its value, legal
requirements, sensitivity and criticality to the organization.
Additionally covering Disposal of Information Policy +Data Classification Guidelines/procedure as part of this (procedures for information labelling and
handling). Additionally covers destruction of data on removable media. CPS 234 guidelines are also covered as part of this.
Clear Desk and Clear Screen Policy
A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities.
Email Policy
Appropriate protection of Information involved in electronic messaging.
IT Mobile Computing Policy
a. The process that mobile computers must meet to leave the company network.
b. How mobile computers and devices will be protected while outside the organizational network.
c. The process that mobile computers must meet to enter the company network when being brought into a building owned by the organization
Password Policy
Guidelines for managing passwords.
Physical Security Policy
Physical security for offices, rooms, and facilities by appropriate entry controls, Physical protection against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disasters.
Risk Assessment and Handling Policy
Overall process of risk analysis and risk evaluation. Operating controls to manage an organization's information security risks in the context of the organization’s overall business risks
Change Management Policy
Policy to manage changes to organisation, business processes, information processing facilities and systems that affect information security.11
Remote Access Policy
Policy for teleworking activities, VPN and remote access of organisation resources.
Covering VPN policy as part of this
Security Incident Management Policy
Policy to raise, handle and resolve information security incidents.
Wireless Communication Policy
Specifies the conditions that wireless infrastructure devices must satisfy to connect to the Wireless infrastructure of the organisation. Only devices that meet the standards specified in this policy are allowed to connect to corporate Wifi infra.
Patch Management Procedure
Provide the guidelines for the use and deployment of the Patch Management Solution within the organisation
Vulnerability Management Policy
Information about technical vulnerabilities of information
systems being used shall be obtained, the organization's exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.
Business Continuity Planning Procedure
This is a detailed plan developed to enable continuity of operations of the organisation in an event of a disaster. The provisions of this plan will be used as the basis for guiding recovery activities, DR (disaster recovery) aimed at operating Core business functions at a pre-determined minimum acceptable level of service.
Application Development and code review procedure
Set of security guidelines to be followed at the time of software development and to establish a code review mechanism
Audit Log and Monitoring Policy
Deals with handling and storing system critical logs and their ongoing monitoring.
Access Control Policy
The policy specifies how to manage access control to organisation's critical assets and provide appropriate access controls to protect information processed/ stored in computer systems. To prevent unauthorized access to data or system resources.
Key Management and Data Encryption Policy
Use of cryptographic controls for protection of
information .Key management process to support the organization’s use of cryptographic techniques.
Information Security Policy
This policy document provides the framework to develop and disseminate an information security policy in order to achieve organisation security objectives. This policy document is the master document, which is supported by other documents governing Information Security Management System compliance within the organisation
Third Party Provider Policy
This Policy outline the requirements for engaging, monitoring and working with vendors, External Service Provider (ESP), service provider partners and contractors.
Mandatory Data Breach Notification Policy
This policy sets out procedures for managing a data breach, including the considerations around notifying persons whose privacy may be affected by the breach.