Information Security Policy

I nfo rma ti on Se curi ty Po licy
BoM Office of Information Systems and Technology - United Nations Development Programme
304 E. 45th Street, New York, NY 10017 - oist.security@undp.org - Confidential and Proprietary © 2010
Info rma tio n Sec urity Po licy /2
DOCUMENT CONTROL
Document Name Information Security Policy
Language(s) English, French, Spanish
Responsible Unit BoM - BoM/OIST
Creator (individual) Paul Raines, Chief Information Security Officer (CISO)
…/Prescriptive Content/Information Technology

Subject (taxonomy)
Management/Policies
Effective Date October 2009
Mandatory Review 12 months
Audience All individuals accessing UNDP ICT Resources
All UNDP staff members at Headquarters, in Country Offices and at

Applicability other offices worldwide and by all third parties using ICT resources
owned or operated by UNDP
Replaces NA
Is part of NA
Country Office & Regional ICT Security Standards; ICT Security and
Related documents Awareness Standards; System Logon Banner Standards; ICT
Security Best Practices Guide; IDM User Guide
UN Record Ref. TBD
Date Author Version Change Reference
7 Oct 2009 P. Raines 1.0 Initial version
BoM/OIST Management; BoM units; MPN review; ICT

1 Nov 2009 P. Raines 1.1
Managers, LSO and OAI
10 Feb 2010 P.Raines 1.2 CTO; CISO review of document
20 Feb 2010 P. Raines 1.3 Changes made from ICT Review Committee Review
7 April 2010 P.Raines 1.4 Changes made from OHR 2nd Review
Changes made from LSO 2nd Review. Operations

26 April 2010 P.Raines 1.5 Group review. No other changes after the ICT Board
e-review.
Table of Contents
1.0 INTRODUCTION, PURPOSE AND SCOPE .................................................................................................................... 5

1.1 Introduction 5
1.2 Purpose 5
1.3 Scope 6
1.4 Effective Date 6
2.0 RESPONSIBILITIES .............................................................................................................................................................. 6
2.1 The Information Security Programme 7

2.2 Policy Compliance 7
2.3. Policy Exceptions 8
3.0 PRINCIPAL DECLARATION ON INFORMATION SECURITY MANAGEMENT ..................................................... 8
3.1 Principal Declaration 8

4.0 SUPPORTING POLICY STATEMENTS ........................................................................................................................... 9
4.1 Statement 1 – Asset Management 10

4.2 Statement 2 – Human Resources Security 11
4.3 Statement 3 – Physical and Environmental Security 12
4.4 Statement 4 – Communications and Operations Management 13
4.5 Statement 5 – Access Control 16
4. 6 Statement 6 – Information Systems Acquisition, Development and Maintenance 17
4.7 Statement 7 – Information Security Incident Management 19
4.8 Statement 8 – Business Continuity Management 19
4.9 Statement 9 – Compliance 20
5.0 APPENDIX A – GLOSSARY OF TERMS......................................................................................................................... 21
INDEX ......................................................................................................................................................................................... 24
Compliance with ICT Policies and Guidelines

 Policies, Standards, Work Instructions, Checklists - Compliance is mandatory.
 Guidelines, Best Practices, White Papers - Compliance is not mandatory. Any deviation from
guidelines, best practices, and white papers usually implies potential risks for which users are
required to take mitigating measures.
Policies – Formal, brief, and high-level statements that embrace UNDP‟s ICT goals, objectives, and
acceptable procedures. Compliance is mandatory and failure to comply may result in administrative action.
Waivers to the policy must be requested in writing to and approved by the Chief Information Security Officer
(CISO).
Standards – Written to directly support a policy and provides more detailed guidance in specific areas (e.g.
security requirements for system acquisition and development). Compliance is mandatory and failure to
comply may result in administrative action. Waivers to standards must be requested in writing to and
approved by the Chief Information Security Officer (CISO).
Work Instructions and Checklists – Written to provide detailed instructions on the execution of a specific
security task (e.g. checklist for generating a digital certificate for encryption and digital signing). Compliance
is mandatory and failure to comply may result in disciplinary action. Waivers to standards must be requested
in writing to and approved by the Chief Information Security Officer (CISO).
Guidelines and Best Practices – Provide a framework within which to implement procedures. Guidelines,
guides, procedures, and best practices are not mandatory, but are rather recommendations. Any deviation
from guidelines or best practices usually implies potential risks for which users are required to take
mitigating measures.
White Papers – Authoritative reports or briefs that often address issues and how to solve them. White papers
are used to educate readers and help people make decisions. White papers carry no compliance component,
but are rather informative bulletins or reports.
1.0 INTRODUCTION, PURPOSE AND SCOPE
1.1 Introduction
1.1.1 The Information Security Policy sets out the basis for UNDP in protecting the confidentiality, integrity, and
availability of its data, for classifying and handling confidential information, and for dealing with breaches of this
Policy.
1.1.2 The Information Security Management System (ISMS) stipulated by ISO 27001 requires a comprehensive
Information Security Policy document covering all areas of Information Security and, given the prevalence of
automated information handling techniques, particularly in the area of ICT security. This document satisfies that
requirement.
1.1.3 The structure of this Information Security Policy follows that of ISO/IEC 27001 and 27002 (Second Edition,
dated 15 June 2005) to provide for easy correlation between the standard‟s requirements and associated UNDP policy
statements. The diagram below details the relationship between the Strategic Plan of UNDP, the UNDP Information
Management Strategy, the UNDP Information Security Policy and subordinate standards which provide more
detailed guidance on implementing the requirements of the Information Security Policy.
UNDP Strategic
Plan
UNDP Information
Management ICT Roadmaps
Strategy
Information ICT Governance

Security Policy Policy
ICT Security
Standards...
ICT Security Best

Practices...
1.2 Purpose
1.2.1 The management of Information Security is the reasonable selection and effective implementation of
appropriate controls to protect critical organization information assets. Controls and management processes, coupled
with the subsequent monitoring of their appropriateness and effectiveness, form the two primary elements of the
Information Security programme. The three goals of Information Security include:
 Confidentiality
 Integrity
 Availability
1.2.2 The direction contained in Regulation 1.2(i) of the UN Staff Regulations requires Staff members shall exercise
the utmost discretion with regard to all matters of official business. They shall not communicate to any Government,
entity, person or any other source any information known to them by reason of their official position that they know
or ought to have known has not been made public, except as appropriate in the normal course of their duties or by
authorization of the Secretary-General. That direction is supported and implemented by this Policy.
1.2.3 This Policy sets out the basis for the protection of information, facilitating security management decisions, and
directing those objectives which establish, promote, and ensure best Information Security controls and management
within the UNDP working environment.
1.3 Scope
1.3.1 This Policy states broad management principles guiding the Information Security programme in place within
UNDP. This Policy applies to all physical areas under the control of UNDP. Where other specific functional policies
set more stringent requirements, they take precedence in those functional areas. This Information Security Policy
shall be reviewed by the Bureau of Management (BoM)/Office of Information and Systems Technology (OIST) Chief
Information Security Officer (CISO) at regular intervals to ensure its continuing suitability, adequacy, and
effectiveness.
1.3.2 Information security standards and work instructions are subordinate to this Policy and provide more specific
detail on implementation of the Information Security policy statements in this document. Such standards shall be
read in conjunction with this Policy. If there is a discrepancy between any provision of this Policy and any such
standard or work instruction, the provisions of this Policy shall take precedence.
1.4 Effective Date
1.4.1 This Policy is effective from the date of issue shown in the Document Control table.
2.0 RESPONSIBILITIES
2.0.1 The CISO is responsible for Information Security within UNDP and for the approval of this Policy. The
BoM/OIST ICT Information Security Services (ISS) unit, Global Services Section Operations Security unit, Atlas
unit, and the Office of Audits and Investigations (OAI) shall keep the CISO informed of issues impacting the
effectiveness of this Policy or the Information Security programme in general. The CISO is responsible for ensuring
that:
 This Policy is reviewed at regular intervals or when significant changes occur
 Revisions, once approved, are communicated to all UNDP staff and, where appropriate, to other
individuals or entities authorized to access UNDP information
 Taking action to protect the UNDP ICT environment from serious risks to the confidentiality, integrity
and availability of its information.
The responsibilities of all staff and other authorized individuals or entities to protect UNDP information are of critical
importance. All staff, therefore, is required to adhere to this Policy and to report actual or potential areas of
Information Security risk to the BoM/OIST ICT Security unit (at oist.security@undp.org). Some obligations of this
policy may be met by existing plans or implemented by certain units within UNDP. Because organizational plans,
structures and responsibilities often change, the Information Security Policy will not specify which unit or plan
satisfies the requirement but will only specify the obligation which must be met under the policy.
2.1 The Information Security Programme
2.1.1 An Information Security programme exists within UNDP to ensure that there is clear responsibility and
accountability, both within and across organizational units, for the management of Information Security. The
Information Security programme consists of the policies, standards, work instructions, organizational units and
individuals with security responsibilities and provides the structure as well as an effective mechanism for
coordinating and managing Information Security for the organization.
2.1.2 In support of the Information Security programme, the BoM/OIST ICT Security unit is mandated to exercise its
duties in the following areas:
 Evaluate potential risks, determine the requirements and recommend suitable countermeasures to
manage risks, in areas relating to the handling and protection of information by the UNDP
 Organize and coordinate the training of staff members in the areas of operations, information,
communications, authorized users, facility, and information technology-related security procedures to
be followed while working with UNDP
2.1.3 By providing consultancy and support, and by performing ongoing reviews, the BoM/OIST ICT Security unit
will assist individual organizational units to comply with policies in support of the Information Security programme.
2.1.4 The BoM/OIST ICT Security unit shall also participate fully in the process of authorizing all new information
systems or applications to ensure that necessary security elements are considered and adequately addressed prior to
the new system‟s approval for use by UNDP.
2.1.5 The Office of Audits and Investigations (OAI) shall provide the senior management of UNDP with a periodic
independent assessment of the operation and effectiveness of the Information Security programme.
2.1.6 There will be quarterly Information Security Management Meetings consisting of staff members and
contractors in UNDP who are key to implementing the information security programme. The CISO will chair the
meeting, coordinate agenda items and ensure that minutes of the meeting with relevant action items are taken. The
meetings will discuss the effectiveness of the information security programme and examine means for its continued
effective monitoring and improvement. The Information Security Management Meeting team shall be the primary
OIST management forum to coordinate and gain feedback on this Policy and supporting Information Security
standards.
2.2 Policy Compliance
2.2.1 Compliance with this Policy is a condition of employment for all UNDP staff and a condition of contract for all
other authorized individuals or entities, unless a prior (temporary) waiver is obtained (see Section 2.2.2 below).
2.2.2 Failure to comply with this Policy without obtaining a prior waiver shall be dealt with in accordance with
UNDP Staff Regulations and Rules, or as appropriate, the staff contractual terms.
2.3. Policy Exceptions
2.3.1 Where an organizational unit is unable to meet a policy statement contained in this document, the Head of a unit
shall obtain a written waiver from the CISO.
2.3.2 A waiver represents an agreement by the CISO to grant temporary exemption from a policy or standard to an
organizational unit, after formal review and approval:
 For a genuine or justifiable reason
 For a specified period of time not greater than one (1) year
 With the organizational unit‟s knowledge and acceptance of the risks involved
2.3.3 All waiver requests shall be submitted in writing and shall be viewed as temporary and carry a specific
expiration date. They are subject to review by the BoM/OIST ICT Security unit annually or at the expiration date,
whichever is sooner, as part of the ongoing governance process.
2.3.4 If a waiver is no longer required before the expiration date or annual review, the Head of the unit shall inform or
advise the BoM/OIST ICT Security unit accordingly (oist.security@undp.org).
3.0 PRINCIPAL DECLARATION ON INFORMATION SECURITY MANAGEMENT
3.0.1 Objective
3.0.2 Establish the direction on and commitment to Information Security and ensure it is communicated, applied, and
complied with throughout the organization. Further, to develop and implement Information Security architecture, to
protect information assets from loss or misuse, and to mitigate the risk of financial, productivity, and reputation loss
to UNDP.
3.0.3 The Information Security Policy consists of a principal declaration, which sets out the position on Information
Security and defines three security principles upon which this Policy is formed, followed by nine supporting Policy
Statements that expand upon those principles.
3.1 Principal Declaration
3.1.1 The UNDP recognizes that data and information (whether its own, or that entrusted to its care) are core to its
ability to fulfill its mission.
3.1.2 The UNDP is fully committed to protecting information and the environments in which information is
processed, transmitted and stored, consistent with the following security principles:
 Best practices in Information Security
 The value or level of sensitivity
 All applicable laws, policies, statutes, regulations, and contractual requirements
3.1.3 All UNDP staff and other authorized individuals or entities are responsible for maintaining appropriate control
over information in their care and for bringing any potential threats to the confidentiality, integrity, or availability of
that information to the attention of the appropriate management. Appropriate training and awareness programmes will
be available to support and reinforce this responsibility.
4.0 SUPPORTING POLICY STATEMENTS
4.0.1. The following Policy Statements, structured on the ISO/IEC 27002 standard, support the Principal Declaration
and define the compliance requirements of Information Security Policy management. The Statements address the
following areas:
1 Asset Management
2 Human Resources Security*
3 Physical and Environmental Security
4 Communications and Operations Management
5 Access Control
6 Information Systems Acquisition, Development and Maintenance
7 Information Security Incident Management
8 Business Continuity Management
9 Compliance
* - Refers to the personnel actions taken during the employment lifetime of a staff member or contract holder which
affects the information security of the Organisation.
4.0.2. These Policy Statements are implemented through the supporting rules found in this policy and through
subordinate Information Security standards, which set the minimum criteria with respect to how policy objectives
will be achieved.
4.0.3. Adherence to both the Policy and the related Information Security standards is mandatory for all staff and
other authorized individuals and entities, to be incorporated within relevant working procedures.
4.0.4. The BoM/OIST ICT Security unit will undertake periodic reviews and the Office of Audits and Investigations
(OAI) will conduct periodic audits of UNDP units to confirm compliance with this Policy and related standards.
Info rma tio n Sec urity Po licy / 10
4.1 Statement 1 – Asset Management
4.1.1Objective
To achieve and maintain appropriate protection and control of UNDP information assets and to ensure that
responsibility and accountability for this protection and control is properly vested in designated information
owners/custodians. To ensure appropriate handling procedures are applied to important information assets.
4.1.2 Policy Statements
Responsibility for Assets:

4.1.3 All assets shall be clearly identified and an inventory of all important information-related assets drawn up and
maintained. Such important information-related assets may include, but are not limited to:
 Information: databases and data files, contracts and agreements, system documentation, user manuals,
training material, operational or support procedures, business continuity plans, fallback arrangements,
audit trails, and archived information
 Software assets: application software, system software, development tools, and utilities
 Physical assets: computer equipment, communication equipment, removable media, and other
equipment
 Services: computing and communications services, general utilities, e.g. heating, lighting, power, and
air-conditioning
4.1.4 All information and assets associated with information systems shall be owned by a designated unit of UNDP.
The designated owner (individual or entity that has approved management responsibility for controlling the custody,
production, development, maintenance, use and security of the assets; Routine tasks may be delegated, e.g. to a
custodian looking after the asset on a daily basis, but the responsibility remains with the owner) shall:
 Ensure that information and assets associated with information systems under their control are
appropriately classified
 Periodically review access restrictions and classifications, taking into account applicable access policies
4.1.5 Rules and standards for the acceptable use of information and assets associated with information systems shall
be identified, documented and implemented. Acceptable use rules and standards shall be applicable to all staff and
other authorized individuals or entities, and shall address acceptable use of:
 Electronic mail and Internet services
 Mobile devices
 Other information processing or storage devices or services
Information Classification:
4.1.6 Information shall be classified or categorized in terms of its value, legal requirements, sensitivity, and
criticality to the UNDP.
4.1.7 Appropriate procedures for labeling and handling sensitive information shall be developed and implemented.
Such procedures may incorporate special handling qualifiers or other dissemination caveats such as “in-confidence”
and/or “internal use only.”
4.2 Statement 2 – Human Resources Security
4.2.1 Objective
To ensure that UNDP staff and other authorized individuals or entities understand their responsibilities and to reduce
the risk of theft, fraud or misuse of facilities, all candidates for employment and all other authorized individuals
should be adequately screened and detailed reference checks conducted, especially for sensitive jobs. Information
security responsibilities should be addressed prior to employment, in job descriptions and in the terms and
conditions of employment.
Prior to Employment:
4.2.3 Security roles and responsibilities of all staff and other authorized individuals or entities of UNDP information
assets shall be defined and documented in appropriate terms and conditions prior to employment or contract
finalization, reflecting the requirements of this Policy.
4.2.4 Verification of critical information, including academic qualifications, languages, nationality, employment
history and detailed reference checks on all candidates for employment, contractors, and third party users shall be
carried out in accordance with relevant policies and procedures, and proportional to the organization‟s requirements,
the classification of the information to be accessed, and the perceived risks. Reference checks shall take into account
all relevant privacy, protection of personal data and/or employment based established policies and procedures, and
shall, as far as is permitted, include:
 Availability of satisfactory references
 A check (for completeness and accuracy) of the candidates Curriculum Vitae/Personal History Form
(P.11)
 Confirmation of claimed academic and professional qualifications
 An independent identity check
 More detailed checks as appropriate
4.2.5 As part of their contractual obligation, staff and other authorized individuals or entities shall agree and sign the
terms and conditions of their employment contract and shall also agree to the confidentiality provisions of the UN
Staff Rules and Regulations.
During Employment:
4.2.6 All staff and other authorized individuals or entities using UNDP information assets shall apply security
measures in accordance with all relevant UNDP regulations, rules, policies and procedures. All HR data, files and
records are deemed sensitive and confidential. UNDP shall ensure that all staff and other authorized individuals or
entities:
 Are properly briefed on their Information Security roles and responsibilities prior to be granted access to
sensitive information or information systems
 Are provided with sufficient guidelines outlining the security expectations for their role within the
UNDP
 Adhere to the terms and conditions of employment
4.2.7 All UNDP staff and, where relevant, other authorized individuals or entities, shall receive appropriate training
and regular updates on Information Security-related policies and procedures as relevant to their function.
4.2.8 Any required disciplinary procedure resulting from a serious breach of Information Security assets or protocols
shall be conducted in accordance with the relevant provisions of the UNDP Staff Regulations and Rules.
Staff Separation, Reassignment, and Termination:

4.2.9 Responsibilities for performing employment separation, reassignment, and termination shall be clearly defined
and assigned. The separation process shall include the communication of post-employment responsibilities emanating
from the Confidentiality Agreement or terms and conditions of employment.
4.2.10 Staff and other authorized individuals or entities shall return all UNDP assets in their possession upon
separation from employment, contract or agreement. The separation process shall formalize the return of all
previously issued information assets.
4.2.11 The access rights of all staff and other authorized individuals or entities to information and information
systems shall be removed or altered as appropriate upon separation or termination of their employment, contract or
agreement, or adjusted upon reassignment. Any deviations from this requirement can occur only with the CISO‟s
explicit consent.
4.3 Statement 3 – Physical and Environmental Security
4.3.1Objective
To ensure that UNDP premises, work areas, and information assets are adequately protected against identified risks to
information assets. Critical or sensitive information systems should be housed in secure areas, protected by defined
security perimeters, with appropriate security barriers and entry controls.
Information Assets:
4.3.3 All staff and other authorized individuals or entities shall ensure that documents containing sensitive
information are secured when not in use.
4.3.4 Sensitive information assets shall not be removed from UNDP premises without proper authorization.
Work Areas:
4.3.5 Security perimeters (barriers such as walls, card-controlled entry gates and doors, and manned reception desks)
shall be used to protect areas that contain information and information systems.
4.3.6 Security perimeters shall be clearly defined, and all security measures shall be implemented .
Equipment:
4.3.6 Information systems shall be sited or protected to reduce the risks from environmental threats and hazards, and
opportunities for unauthorized access. Power and telecommunications cabling carrying data or supporting
information services shall be protected from interception or damage.
4.3.7 Information systems shall be protected from power failures and other disruptions caused by failures in
supporting utilities. Such protection shall be integrated with business continuity planning (BCP) and disaster recovery
(DR).
4.3.8 Information systems shall be correctly maintained to ensure continued availability and integrity. Only
authorized maintenance staff or contractors shall perform maintenance, and adequate records of all maintenance shall
be kept. Where appropriate, information should be cleared from storage equipment before maintenance is performed.
4.3.9 Security shall be applied to off-site information systems and equipment, taking into accounts the different risks
of working outside UNDP premises. Such security may include measures to protect against casual theft when
travelling, inappropriate use, or loss of confidentiality of information assets.
4.3.10 Information systems and equipment containing storage media shall be checked to ensure any sensitive data or
licensed software has been removed or securely destroyed prior to disposal.
4.3.11 Information systems and equipment shall not be removed from UNDP premises without proper authorization.
4.4 Statement 4 – Communications and Operations Management
4.4.1 Objective
To ensure the correct and secure operation of information systems, that key business and support processes
incorporate effective Information Security controls, and that adequate operating procedures exist for the management
and operation of UNDP information systems.
Operational Procedures and Responsibilities:
4.4.3 Formal documented procedures shall be established, maintained, and made available for all activities involving
information processing and communication facilities.
4.4.4 Changes to information systems and applications shall be subject to change management control. Change
management procedures shall be developed with appropriate documentation to demonstrate compliance.
4.4.5 Appropriate segregation of duties and responsibilities shall be implemented to the greatest extent possible to
reduce the possibility that any one individual can compromise an application, a policy, a procedure or activity, or to
perform unauthorized or unintentional modifications to, or to misuse any information assets.
4.4.6 Development, test, and operational (production) facilities shall be separated to reduce the risks of unauthorized
access or changes to the operational system.
Third Party Service Delivery Management:

4.4.7 Service and delivery levels as well as security controls provided by third-party providers involved in supporting
UNDP information processing or telecommunication services shall be monitored to ensure that services are
implemented, operated, and maintained in accordance with contractual obligations.
4.4.8 Changes in the provision of third-party services shall be closely managed, taking into account the criticality of
the information systems and processes involved and the re-assessment of all relevant risks.
System Planning and Acceptance:
4.4.9 Acceptance criteria for new or upgraded information systems shall be established, and suitable tests of the
system(s) carried out during development and prior to acceptance.
4.4.10 Existing information system resources shall be monitored and adjusted as necessary, and projections made of
future capacity requirements, to ensure continued performance at the required levels.
Protection against Malicious and Mobile Code:
4.4.11 Detective, preventive, and corrective controls, as well as appropriate user awareness procedures shall be
implemented to protect against malicious code.
4.4.12 Where the use of mobile code is authorized, the configuration should ensure that the authorized mobile code
operates according to a clearly defined security policy.
Backup
4.4.13 Appropriate backup arrangements, including annual testing, shall be implemented and maintained to protect
information and software and to ensure all critical information assets and processes can be recovered if required for
any reason.
Network Security Management:

4.4.14 Computer and communication networks shall be adequately managed and controlled, in order to be protected
from threats, and to maintain security for systems and applications using the network, including information in
transit.
4.4.15 Security features, service levels, and management requirements of all network services, both internal and
outsourced, shall be identified and included in all network services agreements.
Media Handling:
4.4.16 Procedures shall be established for the management of removable storage media, including procedures for the
safe and secure disposal of storage media when no longer required.
4.4.17 Procedures shall be established for the handling and storage of information to protect against unauthorized
disclosure or misuse.
Monitoring:
4.4.18 Procedures for monitoring use of information systems shall be established and the results of the monitoring
activities reviewed regularly. Monitoring shall be used to determine that actual usage complies with authorized
usage.
4.4.19 Audit logs recording user activities, exceptions, and Information Security events shall be produced and kept
for an agreed period to assist in possible investigations and/or access control monitoring. Logging facilities and log
information shall be protected against tampering and unauthorized access.
4.4.20 The system administrator and system operator activities should be logged. Faults should be logged, analyzed
and appropriate action taken.
4.4.21 The clocks of all relevant information processing systems within the UNDP shall be synchronized with an
agreed accurate time source.
Information exchange procedures:

4.4.22 There shall be no exchange of sensitive UNDP information with a 3rd party without authorization and
appropriate controls in place to protect the information from unauthorized disclosure. Agreements should be
established for the exchange of information and software between UNDP and external parties.
4.4.23 Media containing sensitive information should be protected against unauthorized access, misuse or corruption
during transportation (including by electronic means) beyond UNDP‟s physical boundaries.
Electronic Commerce and Business Information Systems

4.4.24 Information associated with the interconnection of business information systems shall be protected to prevent
misuse or corruption. Information involved in electronic commerce passing over public networks should be protected
from fraudulent activity, contract dispute, and unauthorized disclosure and modification.
4.4.25 Information involved in on-line transactions should be protected to prevent incomplete transmission, mis-
routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. The
integrity of information provided on publicly available system should be protected to prevent unauthorized
modification.
External Parties:
4.4.26 To maintain the security of the organization‟s information and information processing facilities that are
accessed, processed, communicated to, or managed by external parties. Policy statements:
 The risks to the organization‟s information and information processing facilities from business
processes involving external parties should be identified and appropriate controls implemented before
granting access or sharing information with such entities.
 Agreements with third parties involving accessing, processing, communicating or managing the
organization‟s information or information processing facilities, or adding products or services to
information processing facilities should cover all relevant security requirements.
4.5 Statement 5 – Access Control
4.5.1Objective
To ensure appropriate restrictions on access to information are implemented and maintained in line with legitimate
business needs and security responsibilities.
Business Requirement for Access Control:

4.5.3 Adequate access control shall be applied to the information assets to ensure access is available only to current
members of staff (or other authorized individuals or entities) who require it in the course of their official duties and
that the rights of user access take proper account of the type and level of sensitivity of the information concerned.
User Access Management:
4.5.4 A formal, timely registration and de-registration procedure, initiated by authorized officials from the hiring unit
based on authorized user actions, shall be established for granting and revoking access to all information systems and
services so that access privileges are extended only to currently authorized persons. Procedures shall ensure:
 Unique user IDs are assigned, and shared or group IDs are permitted only for documented business or
operational reasons
 Access rights of users who have changed jobs or left the UNDP are removed, blocked, or altered as
appropriate
4.5.5 The allocation and use of privileged access to information systems shall be restricted and controlled to ensure
allocation to users solely on a need-to-use basis in line with users‟ official duties.
4.5.6 User access rights to information systems and applications shall be formally reviewed at least annually to
prevent excessive user rights and to maintain effective control over access to data and information services.
4.5.7 The allocation of passwords and user accounts shall be controlled through a formal management process. All
individually allocated user names or log-on identities shall be for the exclusive use of the individuals to whom they
are allocated. All log-on identities shall be used in conjunction with at least a password.
4.5.8 All authorized users are individually responsible for the creation and maintenance of passwords in accordance
with relevant password standards. An authorized user must take all reasonable precautions to prevent the
unauthorized use of his/her user name or the disclosure of his/her password.
4.5.9 All staff and other authorized individuals or entities shall ensure that computers and terminals are logged off or
locked with a password-protected screen or keyboard lock when not in use. When staff is not physically present at
their desks, they should clear their desk of paper and removable storage media containing sensitive information.
Information System Access Control:
4.5.10 UNDP information systems, networks, services, operating software, and applications shall be configured to
ensure that appropriate access control and authorization mechanisms are implemented, functional, and effective.
4.5.11 The use of utility programs that might be capable of overriding system or other access controls shall be
restricted and tightly controlled.
4.5.12 Interactive sessions shall shut down after a defined period of inactivity, and restrictions on connection times
shall be used to provide additional security for high-risk applications.
Information Security in Networks

4.5.13 Automatic equipment identification shall be used to authenticate connections from equipment if it is important
that the communications can only be initiated from a specific location or equipment.
4.5.14 Physical and logical access to diagnostic and configuration ports shall be controlled.
4.5.15 Groups of information services, users and information systems should be segregated on networks. For shared
networks, especially those extending across UNDP‟s boundaries, the capability of users to connect to the network
should be restricted to UNDP business purposes on a need-to-know basis.
4.5.16 Routing controls should be implemented for networks to ensure that computer connections and information
flows do not breach the access control policy of the applications.
4.5.17 Access to operating systems should be controlled by a secure log-on procedure. All users should have a
unique user ID for their personal use only and a suitable authentication technique used to authenticate users.
4.5.18 Sensitive systems should have a dedicated (isolated) computing environment.

4.5.19 A formal policy, operational plans and procedures should be developed and implemented for tele-working
activities and appropriate security measures adopted to protect against the risks of using mobile computing and
communication facilities.
4. 6 Statement 6 – Information Systems Acquisition, Development and Maintenance
4.6.1 Objective
To ensure information systems (e.g. applications, infrastructures, services, etc.) are designed with security as an
integral component and placed into production with all system-specific security requirements fully understood and
implemented.
Security Requirements for Information Systems:
4.6.3 New information systems and major system enhancements shall be formally presented to and approved by the
ICT Board before being acquired or developed.
4.6.4 The security requirements of a new information system or system enhancement shall be identified and agreed
upon prior to system development or procurement.
4.6.5 Ownership responsibilities in respect to a new information system shall be agreed upon prior to its
implementation.
4.6.6 Data validation controls shall be incorporated during development and maintenance of information systems to
detect and prevent any corruption of information through input, processing, or output errors.
4.6.7 Requirements for ensuring authenticity and protecting message integrity in applications shall be identified, and
appropriate controls identified and implemented.
4.6.8 New information systems and system enhancements shall undertake formal testing in a controlled environment
with user acceptance testing (UAT) prior to their promotion to production status. Formal testing shall include
appropriate testing of all security requirements to ensure both their correctness and adequacy. Tests shall be
documented and test results shall be retained as information assets.
Cryptographic Controls:
4.6.9 The implementation of cryptographic controls during acquisition, development, and maintenance of
information systems shall be managed and shall incorporate appropriate key management procedures.
Security of System Files:
4.6.10 Procedures shall be implemented to control the installation of software on operational systems. Specific
responsibilities for the installation of software on operational systems shall be defined and allocated to appropriately
trained authorized users only. Operational software libraries shall be maintained and access to program source code
shall be restricted.
Security in Development and Support Processes:

4.6.11 All changes to production information systems (and their source code) shall be formally authorized and
controlled to prevent the potential compromise of business processing and security arrangements. Adequate and
documented testing of all changes shall be performed.
4.6.12 Before operating systems are changed, business critical applications shall be viewed and tested to ensure there
is no adverse impact on organizational operations or security.
4.6.13 Outsourced software development shall be supervised and monitored by the appropriate UNDP unit(s).
Technical Vulnerability Management:
4.6.14 Timely information about technical vulnerabilities of information systems being used shall be obtained,
exposure to such vulnerabilities evaluated, and appropriate measures taken to address associated risks.
4.6.15 Periodic assessments of risk to processes, information, systems and facilities shall be performed in light of
changing threats and technical vulnerabilities. Assessments shall be coordinated by the BoM/OIST ICT Security
unit.
4.7 Statement 7 – Information Security Incident Management
4.71 Objective
To ensure incidents affecting Information Security within UNDP are reported and responded to in a timely and
effective manner to allow corrective action to be taken.
4.72 Policy Statements
Reporting Information Security Incidents and Weaknesses:

4.7.3 All staff members and other authorized individuals or entities are required to report suspected information
security weaknesses or incidents to the BoM/OIST ICT Security unit (oist.security@undp.org).
Management of Information Security Incidents and Improvements:
4.7.4 The BoM/OIST/ICT Security unit shall develop and maintain Information Security event reporting and
escalation procedures to ensure that Information Security events and weaknesses associated with information systems
are communicated in a manner allowing timely corrective action to be taken.
4.7.5 In cases where an Information Security incident may involve either legal action or an internal investigation, the
CISO may, in consultation with the Legal Support Office (LSO) and/or the Office of Audit and Investigation (OAI),
authorize the collection and retention of related evidence and its subsequent provision to the LSO and/or the OAI.
4.8 Statement 8 – Business Continuity Management
4.8.1 Objective
To ensure that UNDP is equipped to react to disruptions of operations, and to ensure the timely resumption of critical
business processes, following disasters or major failures of information systems.
Information Security Aspects of Business Continuity Management

4.8.3 A business continuity process shall exist for all key business processes, based on the results of business impact
analyses and other applicable requirements. Events that can cause interruptions to business processes shall be
identified, along with the probability and impact of such interruptions and their consequences for Information
Security. The business continuity process shall aim to reduce the risk of disruption (whatever the cause) to an
acceptable level (through a combination of preventive and recovery controls) and ensure timely resumption of
essential business and support operations according to approved business resumption plans.
4.8.4 Business Continuity plans (BCP) and Disaster Recovery plans (DRP) shall be drawn up to facilitate, and assign
necessary responsibilities for, the recovery of required business processes and the resumption of business activities
within the timeframe necessary to meet mission requirements of the organization. Responsibilities shall be clearly
identified in the plans.
4.8.5 Business Continuity (BCP) and Disaster Recovery (DRP) plans shall be documented, formally agreed by the
affected process owners, and communicated to all relevant parties.
4.8.6 All business process owners shall review and test their BCP and DRP plans on an annual basis to ensure they
remain appropriate to the operating requirements of the organization. Test results shall be documented and corrective
actions taken as required.
4.9 Statement 9 – Compliance
4.9.1 Objective
To avoid breaches of any legal, statutory, regulatory, or contractual obligations of UNDP with regard to information,
its processing and usage, and to comply with all other Information Security -related regulations, rules, policies, and
procedures adopted by the UNDP.
Compliance with Legal Requirements
4.9.3 To ensure compliance with applicable legal, statutory, regulatory, and contractual requirements, procedures
shall be implemented to guide UNDP in terms of its obligations. Such obligations may be derived from, but are not
limited to:
 Decisions of UNDP policy-making organs
 Administrative directives
 Software licensing agreements
4.9.4 Important records shall be protected from loss, destruction, and falsification, in accordance with statutory,
regulatory, contractual, and business requirements.
4.9.5 Users shall be deterred from using information systems for any unauthorized or unlawful purposes. Users may
occasionally employ UNDP information systems for non-business uses (e.g. emailing a friend or listening to language
lessons during lunch break) so long as it does not interfere with business needs.
Compliance with Security Policies and Standards

4.9.6 UNDP managers shall ensure that all security procedures within their area of responsibility are carried out
correctly to achieve compliance with security policies and standards. Managers in Regional Centers and Country
Offices shall make an annual self-attestation that they are in compliance with this Information Security Policy and its
related standards. The CISO will make a similar statement on behalf of the UNDP Headquarters. Any non-
compliance must be documented along with the reasons for non-compliance.
Information Security Audit Considerations
4.9.7 Audit requirements and activities involving checks on operational systems shall be carefully planned and
agreed to in advance, to minimize the risk of disruptions to business processes.
4.9.8 Access to information systems audit tools shall be protected to prevent any possible misuse or compromise.
5.0 APPENDIX A – GLOSSARY OF TERMS
Authorized User
Any authorized user of UNDP ICT resources. May be a staff member, contract holder, intern, UN Volunteer, a
member of another UN agency using UNDP ICT resources or other any other third party using UNDP ICT resources.
Availability
Timely, reliable access to information for authorized users within an acceptable period at a level and in the form the
system user wants. This is one of the three goals of Information Security .
Confidentiality
Information is restricted to appropriate and necessary people. The level of confidentiality defines the degree of
protection that must be provided for information. This is one of the three goals of Information Security .
Data
Although this term is synonymous with „information,‟ it is often used in practice to refer to information in a particular
structure or format, such as electronically-held information (e.g. authorized users data, Data Protection/Privacy, data
transfer). There is no substantial distinction between „information‟ and „data‟ and the term „information‟ will be
considered to subsume any references to „data.‟
Information
Information is recognized by its capacity or potential to provide, either directly or indirectly, data or any knowledge,
regardless of its physical or intangible character or make-up.
Information Assets
Items owned by the organization that are a necessary part of the process of gathering, storing, or manipulating
information. As well as information itself, this definition extends to computing (e.g. hardware, software, or
peripherals), premises (e.g. offices, safes, or filing cabinets), essential utility services (e.g. power or telephony), key
documentation (core procedures or hard copy legal records) and even essential staff roles (e.g. having backup for key
individuals, where necessary).
Information System
An integrated set of components, applications, or services designed to store, manipulate, communicate, or otherwise
process or utilize information to generate meaningful product for authorized system users. An information system
might comprise a single processor or extend to a widely distributed network of processing and storage devices.
Integrity
Integrity ensures that information can be relied upon for accuracy and reliability. This is one of the three goals of
Information Security .
Malicious Code
Computer software, an application, or machine code written, distributed, or exchanged with the intent of causing
harm, damage, mischief, or for performing other malicious acts. “Malicious code” includes viruses, worms, Trojans,
or associated hoaxes.
Mobile Code
Software obtained from remote systems, transferred across a network, and then downloaded and executed on a local
system without explicit installation or execution by the recipient. Examples of mobile code include scripts
(JavaScript, VBScript), Java applets, ActiveX controls, Flash animations, Shockwave movies (and Xtras), and macros
embedded within MS Office documents.
Other Authorized Individual or Entity
An individual or entity, other than a staff member or an accredited delegate, authorized by the Chief Information
Security Officer (CISO) to access UNDP information or resources (e.g. Contractor, Special Services Agreement
contractor, Consultant, Intern, qualified Expert, Student Work Training Programme, etc.).
Policy
Policy sets out the overall objectives of the organization. It is mandatory that every staff member, manager, and
executive of the organization meet those objectives. Policy contains broad statements and is implemented through the
issue and adoption of subordinate standards targeted at specific objectives, or otherwise through agreed business
processes.
Sensitive Information
Sensitive information is an over-arching term that covers any information received or generated by UNDP, important
enough to protect because unauthorized access to or loss, misuse or modification or such information could adversely
affect either the effectiveness or credibility of UNDP, activities carried out by UNDP, or interests of an affiliated or
commercial body, or individual. Examples of sensitive information are medical information, financial information, or
operational procedures. Documents containing sensitive information shall be marked with a special handling
qualifier such as “Confidential” and/or “internal use only.”
Staff Member
Individuals holding UNDP letters of appointment which are governed by the UN Staff Regulations and Rules. Note
that this excludes personnel holding SSA or service contracts as well as UN Volunteers and Interns.
Standards
Standards are written to address specific statements within the Information Security Policy and define the minimum
criteria in respect to how Information Security Policy objectives are to be achieved. Conformance to standards is
mandatory.
INDEX
Appendix A – Glossary of Terms.......................................................................................................................... 21

Compliance with ICT Policies and Guidelines......................................................................................................... 4
Effective Date ........................................................................................................................................................ 6
Introduction............................................................................................................................................................ 5
Introduction, Purpose and Scope ............................................................................................................................. 5
Policy Compliance ................................................................................................................................................. 7
Policy Exceptions ................................................................................................................................................... 8
Principal Declaration .............................................................................................................................................. 8
Principal Declaration on Information Security Management .................................................................................... 8
Purpose .................................................................................................................................................................. 5
Responsibilities ...................................................................................................................................................... 6
Scope ..................................................................................................................................................................... 6
Statement 1 – Asset Management ......................................................................................................................... 10
Statement 2 – Human Resources Security ............................................................................................................. 11
Statement 3 – Physical and Environmental Security .............................................................................................. 12
Statement 4 – Communications and Operations Management ................................................................................ 13
Statement 5 – Access Control ............................................................................................................................... 16
Statement 6 – Information Systems Acquisition, Development and Maintenance ................................................... 17
Statement 7- Information Security Incident Management ...................................................................................... 19
Statement 8 – Business Continuity Management ................................................................................................... 19
Statement 9 – Compliance .................................................................................................................................... 20
Supporting Policy Statements ................................................................................................................................. 9
The Information Security Programme ..................................................................................................................... 7

Information Security Policy

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security Policy

Uploaded by

Copyright:

Available Formats

I nfo rma ti on Se curi ty Po licy

Document Name Information Security Policy

Language(s) English, French, Spanish

Responsible Unit BoM - BoM/OIST

Creator (individual) Paul Raines, Chief Information Security Officer (CISO)

…/Prescriptive Content/Information Technology

All UNDP staff members at Headquarters, in Country Offices and at

UN Record Ref. TBD

Date Author Version Change Reference

7 Oct 2009 P. Raines 1.0 Initial version

BoM/OIST Management; BoM units; MPN review; ICT

10 Feb 2010 P.Raines 1.2 CTO; CISO review of document

Changes made from LSO 2nd Review. Operations

1.0 INTRODUCTION, PURPOSE AND SCOPE .................................................................................................................... 5

2.1 The Information Security Programme 7

3.1 Principal Declaration 8

4.1 Statement 1 – Asset Management 10

Compliance with ICT Policies and Guidelines

1.0 INTRODUCTION, PURPOSE AND SCOPE

Information ICT Governance

ICT Security Best

1.4 Effective Date

2.1 The Information Security Programme

2.3. Policy Exceptions

3.0 PRINCIPAL DECLARATION ON INFORMATION SECURITY MANAGEMENT

3.1 Principal Declaration

4.0 SUPPORTING POLICY STATEMENTS

2 Human Resources Security*

3 Physical and Environmental Security

4 Communications and Operations Management

6 Information Systems Acquisition, Development and Maintenance

7 Information Security Incident Management

8 Business Continuity Management

4.1 Statement 1 – Asset Management

4.1.2 Policy Statements

Responsibility for Assets:

4.2 Statement 2 – Human Resources Security

4.2.2 Policy Statements

Staff Separation, Reassignment, and Termination:

4.3 Statement 3 – Physical and Environmental Security

4.3.2 Policy Statements

4.4 Statement 4 – Communications and Operations Management

4.4.2 Policy Statements

Operational Procedures and Responsibilities:

Third Party Service Delivery Management:

Network Security Management:

Information exchange procedures:

Electronic Commerce and Business Information Systems

4.5 Statement 5 – Access Control

4.5.2 Policy Statements

Business Requirement for Access Control:

User Access Management:

Information Security in Networks

4.5.18 Sensitive systems should have a dedicated (isolated) computing environment.

4. 6 Statement 6 – Information Systems Acquisition, Development and Maintenance

4.6.2 Policy Statements

Security Requirements for Information Systems:

Security in Development and Support Processes:

4.7 Statement 7 – Information Security Incident Management

4.72 Policy Statements

Reporting Information Security Incidents and Weaknesses:

4.8.2 Policy Statements

Information Security Aspects of Business Continuity Management

4.9 Statement 9 – Compliance