In order to best protect all related information property of this organization, safeguard the normal operation of network information systems, and guarantee people's rights, the Department of Budget Accounting and Statistics has established this policy as protection against outside threats or inappropriate management, inadvertent access, violations or leaks, while at the same time being able to guarantee the security and integrity of all computer processes, systems, etc. All individuals and groups are to follow this policy and are responsible to assist in its promotion and improvement.
Goal of management
- A. To maintain the sustained operation of the information system.
- To prevent system invasion and corruption by hackers, viruses, etc.
- To identify and prevent inappropriate and illegal usage.
- To avoid careless accidents.
- To safeguard the environment's security.
The scope of Information Security shall include the following
The organization of an information security network, personnel management and security training, computer systems security management, network security management, system access control, application development and maintenance security management, and security audits.
The organization and delegation of authority, and the division of labor regarding information security shall work for the following
- Each section and room supervisor shall make employees responsible for implementing information security work, and guard against any illegality or malfeasance.
- With the aim towards addressing the dissimilarities of needs of those involved, such as management, operations, work category, information type, etc., the CSRU will periodically carry out training and issue guidelines in order to enhance employee's information security recognition raise the overall system security level and security consciousness.
|
Computer System Security Management |
- All outsourced operations shall be conducted by clearly defined contracts, containing rules and regulations manufacturers must adhere to, specifically regarding security responsibilities and confidentiality. All outsource entities must agree to obey said rules, as well as, to submit to periodic investigation and evaluation.
- Establishment of a software use and management system, covering all facets of system operations, which must be understood and agreed to by all users.
- Adoption of whatever reasonable means necessary to provide prevention and protection in order to detect and defend against hackers, computer viruses, Trojan horses, or any other malicious software or programming, thus insuring normal system operations.
- The purchasing of software & hardware related to the information system shall follow any national or government security standards, and any applicable standards shall be included in every purchase specification.
|
Network Security Management |
- In order to insure complete computer security protection, the department shall require that each e-mail account user update and change their passwords for city government e-mail accounts at least once every three months.
- Each user shall pay close attention at all times to the latest security announcements concerning computer operating systems, and make all needed updates immediately when available, in order to prevent hackers or viruses from invading or corrupting the site.
- If a user finds any fault or potential security flaw, it should be reported to network management as soon as possible. In the event of a computer system emergency, the user shall report to the computer security response unit immediately in order to complete the internal notification process. Any delay in this action must not exceed 30 minutes.
|
System Access Control |
- Establish uniform authorization and responsibility protocol for allowing employees and users to access the system.
- Retired and terminated employees shall immediately forfeit any authorization or power to use internal resources of the system.
- Create a database in order to register and strengthen user password management.
|
System Application Development and Maintenance Security Management |
- Any outsourced applications or developments shall be done with the need for information security given full consideration. The maintenance, updates, on-line operation, and new version releases shall be done in a way so as not to endanger the security system or make it vulnerable to attack.
- Access to the system and its data shall be limited and regulated when outsourcing system development or maintenance for both software and hardware. Those manufacturers and developers who are entrusted to work on the system are to be closely supervised, and whatever equipment or material to be used within the system shall be closely monitored and accountable.
|
The Information Security Audit |
All aspects concerning the information system shall be subject to periodical or unscheduled security audits. These audits shall be both internal and external in nature, covering anything related to system security, in order to carry out the information system security policy, and to insure the highest possible standards of system dependability and integrity. |
|