Professional Documents
Culture Documents
MJ Pvt. Ltd.
Version 1
Date: 17/03/2023
Table of Contents
1. PURPOSE................................................................................................................................................. 3
2. SCOPE ...................................................................................................................................................... 3
3. SECURITY POLICIES........................................................................................................................... 3
2. SCOPE
This policy applies to all automated and manual systems, including those administered or hosted
by outside parties on the entity's behalf, for which the entity has administrative responsibility. It
covers any data produced or utilized to support corporate operations, regardless of its shape or
format.
3. SECURITY POLICIES
3.1 ACCESS CONTROL POLICY
3.1.1 Assign account managers to oversee the usage of accounts and define and document
the sorts of accounts that are expressly permitted and banned in the system. Create and
implement a procedure for updating shared or group account authenticators (if used) when
members of the group are expelled. (NIST 800-53 V.5, AC-2)
3.1.2 Access computing platforms, programmes, or data that are located across numerous
security domains from a single device while blocking information flow across the various
security domains, and Record and audit content filtering activities and outcomes for the
information being filtered while moving data between security domains. (NIST 800-53
V.5, AC-4)
3.1.3 Stop non-organizational users from having privileged access to the system, log when
privileged actions are taken, and forbid privileged actions from being taken by non-
privileged users. (NIST 800-53 V.5, AC-6)
3.1.4 Restrict additional system access by triggering a device lock after 15 minutes of
inactivity; forcing the user to trigger a device lock before leaving the system alone and
keep the device locked until the user regains access by following the predefined
identification and authentication processes. (NIST 800-53 V.5, AC-11)
3.1.5 Automated procedures should be used to monitor and regulate remote access
methods, as well as cryptographic measures to ensure the confidentiality and integrity of
remote access sessions. (NIST 800-53 V.5, AC-17)
3.2.2 Create and manage an enterprise architecture while taking information security,
privacy, and the consequent risk to organisational operations, assets, people, other
organisations, and the nation into account. (NIST 800-53 V.5, PM-7)
3.2.3 While creating, documenting, and revising a strategy to secure essential infrastructure
and vital resources, consider information security and privacy concerns. (NIST 800-53
V.5, PM-8)
3.2.4 Consistently implement the risk management plan throughout the business, and
evaluate and update it every month or as needed to reflect organisational changes. (NIST
800-53 V.5, PM-9)
3.3.2. XYZ Organization determine the content of training based on the assigned roles and
responsibilities of individuals as well as the security and privacy requirements of
organizations and the systems to which personnel have authorized access, including
technical training specifically tailored for assigned duties. [AT-3 Role-Based Training]
3.4.2 Install signature-based malicious code protection mechanisms at system entry and
exit points to find and remove malicious code, and update such mechanisms automatically
when new releases become available in compliance with organisational configuration
management policy and procedures (NIST 800-53 V.5, SI-3)
3.4.3 Use automated tools and methods to provide near-real-time event analysis. Integrate
and configure separate intrusion detection technologies into a system-wide intrusion
detection system. (NIST 800-53 V.5, SI-4)
3.4.4 Develop automated tools to enable the administration of distributed security and
privacy function testing, and alert senior agency information security officers of the
findings of security and privacy function verification. (NIST 800-53 V.5, SI-6)
3.4.5 Use centrally controlled integrity verification tools and cryptographic safeguards to
identify illegal software, firmware, and data modifications. (NIST 800-53 V.5, SI-7)
3.5.5 After the termination of the communication session or after 30 minutes of inactivity,
disconnect the network connection connected to it. (NIST 800-53 V.5, SC-10)