Professional Documents
Culture Documents
Information Technology:
IT Security Policy
[Version 1.0]
Note
For significant changes to this document, the version number is incremented by 1.0.
For changes made for clarity, reading ease without changing the meaning or
intention of this document, the version number is increased by 0.1.
Purpose.
*****i'"""
1
2. Scope **"'"****''"'***'*'*****'*****'*'''**"****""*""
4.1 Storage. * * * * * * * * * * * .
4,4 Copying.
4.5 Disposal. e*******
* * * * * * * * * * * * .
8
4.8 System planning and acceptance. ******************e***********************
2.Scope
2.1 DIPL recognizes the role of information security in ensuring that users have access to the
information they require in order to carry out their work.
1. the integrity of information is maintained, so that it is accurate, up to date and fit for purpose';
2. information is always available to those who need it and there is no disruption to the business of
DIPL;
3. confidentiality is not breached, so that information is accessed only by those authorized to do so;
4. DIPL meets its legal requirements, including those applicable to personal data under the Data
Protection Act, and
5. the reputation of DIPL is safeguarded.
2.6 Information security risk assessments should be performed for all information systems on a
regular basis in order to identify key information risks and determine the controls required to keep
those risks within acceptablelimits
2.7 DIPL is committed to providing suficient education and training to users to ensure they
understand the importance of infomation security and, in paricular, exercise appropriate care when
handling confidential information.
2.8 Breaches of infomation security must be recorded and reported to IT Head, who will take action
and infom the relevant authorities.
2.9 This Policy and all other supporting policy documents shall be communicated as necessary
throughout DIPL to meet its objectives and requirements.
3.Responsibilities
Managing Director- India
3.1 The Managing Director - India has ultimate responsibility for information security within DIPL and
responsible for ensuring that DIPL complies with relevant extemal requirements, including
legislation.
Head Compliance
3.2 The Head -Compliance and IT are responsible for
2. reputational damage
3. an adverse effect on the safety or well-being of members of DIPL or those associated with it
4.1 Storage
4.1.1 Confidential information should be kept secure,
using, where practicable, dedicated storage
(e.g. file servers), hard disks, and an appropriate level of physical security.
4.1.2 File or disk encryption should be considered as an additional layer of defense, where physical
security is considered insufficient.
Page 6|11
DACHSER
4.2 Access
4.2.1 Confidential infomation is stored in such a way, as to ensure that only authorised persons can
access it.
4.,2.2 All users must be authenticated. Authentication should be appropriate, and where passwords
are used, clearty defined policies should be in place and implemented. Users must follow good
secunty practices in the selection and use of passwords.
4.2.4 To allow for potential investigations, access records should be kept for a minimum of 3 months,
or for longer, where considered appropriate.
4.2.5 Users with access to confidential information should be security vetted, as appropriate, in
accordance with existing policies.
4.4 Copying
4.4.2 The number of copies made of confidential information, whether on portable devices or media
or in hard copy, should be the minimum required, and, where necessary, a record kept of their
distribution. When no longer needed, the copy should be deleted or, in the case of hard copies,
destroyed (see 6.12.5).
4.4.3 All copies should be physically secured eg. stored in a locked cupboard drawer or filing
cabinet.
4.5 Disposal
Policies and procedures must be in place for the secure disposal/destruction of confidential
information. Refer the DIPL IT policy on IT Asset Scrap and Disposal.
19/
DACHSER
5.Compliance
5.1 DIPL has established this policy to promote information secuity and compliance with known best
practices and regards any breach of information security requirements as a serious matter, which
may result in disciplinary action.
5.2 Compliance with this policy should fom part of any contract with a third party that may involve
access to network or computer systems or data.
Glossary
Access Control-ensures that resources are only granted to those users who are enttled to them.
Appropriate- suitable for the level of risk identified and justifiable by risk assessment.
Asset- anything that has a value to DIPL
Audit- information gathering and analysis ofassets to ensure such things as policy compliance and
security from vulnerabilities.
Authentication -the process of confiming the correctness of a claimed identity.
Best Practice -current standard advice for implementing security controls, synonymous with 'good
practice'
Confidentiality- Confidentiality is the need to ensure that infomation is disclosed only to those who
are authorized to view it.
Control-a means ofmanaging risk by providing safeguards. This includes policies, procedures,
guidelines, other administrative controls, technical controls or managementcontrols
Data - Information held in electronic form.
19/7/
DACHSER
enttled intomation technology Security techniques -Code ofpractioe for infomation secuity
management.
Policy overall intention and direction as formally expressed by management
Kisk- the potential for an unwanted event to have a negative impact as a result of exploiting a
weakness. It can be seen as a function of the value of the asset, threats and vulnerabilities
Risk Assessment overall
process of identifying and evaluating risk.
-
Page 10|11
DACHSERR
IT Security Policy- User Declaration Form
confidential datalinformation.
Should I fail in adherence of IT Security Policy, DIPL can take the appropriate disciplinary action
against me as necessary.
Sign: Date: h.
Declaration to be handed over &accepted by IT Engineer/Coordinator
Sign.
Name: Date