Manualshelf

Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series
141142143144145146147148149150
Security Management Guide522283-008
A-1
A Sample Policies
A security policy should be a brief description of an organization’s goals regarding
protection of information and computer resources.
Specific procedures should be written to deal with issues such as adding users and
securing objects. These procedures vary from department to department but should be
consistent with the goals of the policy.
This appendix presents two sample policies. Both policies address the protection goals
of the organization. However, the scope of each policy is different. The first policy
addresses only computerized information while the second deals with information in all
forms.
These policies are only examples. Your policy can address more issues.
Sample Policy 1
Statement of MIS Security Policy
Scope
1. This policy applies to all information created or maintained by the Management
Information Systems department. It also applies to all departments that interact
with Management Information Systems and to all departments within the company
responsible for processing sensitive data.
2. This policy applies only to computerized data processing information. It does not
apply to paper-based or manually maintained information. A separate policy covers
noncomputerized information.
Controls
1. Information processing shall be performed in a physically secure environment.
Physical security controls shall correspond to the value of the information being
protected.
2. Controls shall be established to help prevent unauthorized modification,
destruction, or disclosure of data, whether caused accidentally or intentionally. All
prudent measures will be taken to ensure the integrity and accuracy of critical
company information.
Responsibilities
1. The Information Security Group shall establish, enforce, and communicate all
information security requirements on a companywide basis. Information security
requirements shall be developed and maintained in accordance with the nature of
the various departments. The Information Security Group shall act independently
from Management Information Systems.