You are on page 1of 3

JAVIER, Danielle Louis

MANGALINDAN, Celine Abbey A.

GENERAL CONTROLS
OPERATING SYSTEMS
DATABASES/FILES
In order to maintain the security of the companys database/files, access to
databases/files must be granted only after authentication with credentials. User
credentials must not be shared and stored in a location that can be accessed by
anyone.
1. Database passwords used must adhere to the Password Policy.
2. Database passwords must be controlled and changed from time to time.
Sharing of database passwords is not allowed.
3. Users may set permissions on the data files and folders to control what user
accounts can and cannot access.
4. Important and confidential files must be encrypted.
5. In case of backing up data, ensure that data is properly encrypted and stored
in locations where others cannot access it. Test back-up to ensure that data
can be recovered when needed.
IT ORGANIZATIONAL STRUCTURE
DATA CENTER SECURITY

NEW SYSTEM DEVELOPMENT


In order to improve companys system security planning and management, security
must be considered at all stages of the development of an information system in
order to ensure conformance with appropriate security requirements, protect
sensitive information throughout the development and facilitate efficient
implementation of security controls.
1. System security plan and documentation must be prepared for all information
system or other systems under development that require special attention to
security due to the risk of harm resulting from loss, misuse or unauthorized
access to or modification of information therein.
2. Development, testing and production should be performed in separate
environments.

Testing of new system should be done with fabricated data that mimics
characteristics of real data to avoid impairing datas integrity and
confidentiality.
3. System security controls must be assess for vulnerability to identify weakness
that mat be exploited. Assessment must be performed on new systems
before moving them to production.
SYSTEM MAINTENANCE
1. Scheduling, performance, documenting and reviewing of records of
maintenance and repairs on information asset components should be in
accordance with manufacturer or vendor specifications or organizational
requirements.
2. All maintenance activities must be controlled whether performed on site or
remotely and whether the equipment is serviced on site or removed to
another location.
3. Only a designated official may approve removal of the information asset or
system components from organizational facilities for off-site maintenance or
repairs.
4. All security controls must be checked to verify that the controls are still
functioning following maintenance or repair actions.
5. System maintenance may only be done by approved and authorized
maintenance personnel or organizations.

https://www.proposalkit.com/htm/legal-contract-templates/policy-templates/datacenter-access-security-policy-agreement.htm

https://www.k-state.edu/policies/ppm/3400/3439.html
https://www.sans.org/security-resources/policies
https://www.dmoz.org/Computers/Security/Policy/Sample_Policies/
https://www.maricopa.gov/technology/pdf/TEMPLATE_Information_Security_Systems_Maintenance_Polic
y.docx.

http://dii.vermont.gov/sites/dii/files/pdfs/Physical-Security-for-ComputerProtection.pdf
https://docs.oracle.com/cd/B14117_01/network.101/b10773/policies.htm#1006576