This security policy involves the security of ZUAR Inc. It consists of security objectives, guidelines for their achievement, and overall security management strategy and implementation of policies on key security mechanisms. Information security policy complies with EVS-ISO/IEC TR 13335 Guidelines, models and terms, the standards EVS ISO / IEC 2382-8 and EVS-ISO/IEC TR 13335 are used for information security terms.
The security policy is for all subdivisions of ZUAR Inc. and regulates interactions and relationships with thefollowing subjects:
The security policy establishes the guidelines and procedures in the scope of assets that ZUARr employees are required to know and comply with as a primary means of achieving security goals. Security policy is the base for planning, design, execution and management of security.
1.4.1 Security of assets must be maintained to the extent that ZUAR could function normally and without interruptions in the case of most probable threats, to achieve its business goals.
1.4.2 Security measures must be economically justified and their disruptive effect to ZUAR operations and staff must be as small as possible.
1.4.3 Asset availability, integrity and confidentiality must conform to an average level of security.
1.4.4 Compliance to the security legislation (including copyright, personal information, state laws and regulations and workers health and safety requirements and fire safety requirements) must be ensured. To meet this requirement, some objects and processes must be protected with measures above the average level of security if needed.
1.4.5 Due to contractual and similar relationships with partners, security measures above the average level must be used to meet the requirements of objects and processes where appropriate. When preparing the contracts, resource costs for additional security must be taken into account and the security measures must be economically justified.
1.5.1 General security methodology is based on the standards EVS-ISO/IEC 27001 and EVS-ISO/IEC 17799.
1.5.2 The baseline for electing, deployment and management of security measures is ISKE that is compiled from German Information Security Agency's (BSI) baseline security. The term 'secure' in the following text means the compliance to ISKE baseline security measures.
1.5.3 Assets usage permissions are granted to the workers on the basis of work-related needs.
1.5.4 For any asset the is some individual responsible for it.
2.1.1 Security Council makes the important decisions on the subject of security. Security Council consists of the ZUAR chairman of the board and the people in the following roles:
2.1.2 Security Council shall meet at least once a year to examine the security situation and to make necessary changes to security practices.
2.1.3 Security Council members are determined by the executive management.
2.2.1 Security officers responsibility is determined by the subdivision or area they work in.
2.2.2 ZUAR technology security officer is responsible for the general security in ZUAR.
2.2.3 All voice communication is treated the same as other electronic medium and is the responsibility of the CTO.
2.2.4 People are responsible for assets given to them for work.
2.2.5 People are financially responsible.
2.3.1 Security roles listed in section 2.1 must be filled all the time. Efforts should be made to avoid the simultaneous missing of a role holder and his deputy. When this is not possible, security officer will appoint another deputy for the corresponding period of temporary absence, and instruct him.
2.3.2 Information security officer will be responsible for the security of assets that are in use by staff members without continuous security role.
2.4.1 All real and alleged security incidents must be reported immediately.
2.4.2 Information security incidents must be reported to subdivisions information security officer.
2.4.3 General security incidents must be reported, depending on the situation, either to department head and / or to a local or general security officer, or to immediately contact the appropriate authorities (see 8.4).
Subunits have the right to impose additional provisions and detailed policies about its objects and security mechanisms, if these are not inconsistent with this security policy.
3.1.1 Acceptable residual risk is decided once a year.
3.1.2 ZUAR board accepts the residual risk of 250 000 EEK for 2008.
3.2.1 A Security Council member should test the conformance of security to the security policy at random once a month.
3.2.2 Security Council performs an internal audit to check the conformance to baseline security at least once a year.
3.2.3 External audits are performed Security Council deems necessary.
3.3.1 Under the present conditions, insurance is not economically justified for ZUAR.
4.1.1 Infrastructure The following items must meet the medium level of availability and integrity:
4.1.2 Data and documentation
For ZUAR's activity, especially the following types of data are important security-wise:
The integrity and availability of the following hardware is important:
Availability and integrity of the following communications equipment is important:
Availability, integrity and legality of commercial and self-made software is important.
4.2.1 Information assets listed in Section 4.1, except those of (4.1.6) and the complimentary property (22.214.171.124) must be identified, documented, evaluated quantitatively or qualitatively, and listed in asset specifications according to ISKE requirements.
4.2.2 In assessing the price of assets, both monetary value of assets and possible indirect damages from security incidents (destruction, damage, exposure) resulting in the slowdown in work processes, damage to public image etc, must be taken into account.
6.1.1 Access to resources is role-based, according to job requirements.
6.1.2 IT user roles are defined by IT system features and from the structure of IT management.
6.1.3 IT role set must have at least 3 levels for access to data: no access, read-only, read-write.
6.2.1 Access passwords must be changed at least twice a year.
6.2.2 System, network and other administrative passwords must be stored in written form in a safe.
6.3.1 For accessing internal network resources across the public network and for the transmission of confidential data across public network, only secure connections must be used: VPN connections, SSL / HTTPS connections, and encrypted mail messages.
6.3.2 All confidential data on computers being carried outside the company perimeter (laptops, computers of home workers), all confidential data on hard disks must be encrypted. Encryption keys must be duplicated in a safe backup.
6.3.3 The minimum acceptable key length for symmetric encryption is 256 bits.
6.3.4 The minimum acceptable key length of asymmetric encryption is 1024 bits.
6.4.1 Logs to must be able to identify authorized and unauthorized attempts to access recourses, with the exact time and place of origin.
6.4.2 System and networking log check must be performed randomly at least once a week after the respective incidents.
6.4.3 All logs must be stored for at least four weeks.
6.5.1 All unnecessary paper documents with confidential data (see 126.96.36.199-188.8.131.52) must be destroyed with a shredder.
6.5.2 Retired and / or discarded from archive storage media must be destroyed physically.
6.5.3 To delete state secret or highly confidential data from disk, secure deletion must be used.
6.6.1 New software must be tested before use and confirmed to be suitable.
6.6.2 No real data must be used for testing and demos.
6.7.1 All assets must be acquired legally.
6.7.1 All uses of the assets should be legal.
7.1.1 ZUAR network must meet the following two-level logical structure:
7.1.2 All cabling (electricity, communications, telephone, alarm system, etc.) must be marked and documented and placed hidden. Wiring documentation must include the exact location in the building, cable specifications (make, capacity), wire marking (color, symbols, markings in distribution points etc.), the location, type, installation and repair times of distribution equipment and type of cables.
7.2.1 The company has one common internal network.
7.3.1 Internal and external web servers must be located in different computers.
7.3.2 In addition to the web serving, external web servers can only run FTP server.
7.3.3 Mail server relay feature must be absent or permanently disabled.
7.4.1 Internal e-mails should not be sent outside internal network (even in quoted form).
7.4.2 Mail sent to public network must include the proper name of the sender.
7.4.3 Incoming and outgoing mail must be subjected to virus scanning.
7.4.4 Opening active contents (.EXE, .VBS etc.) in incoming e-mail is permitted only for security investigation purposes and in agreement with information security officer.
7.4.5 When possible, avoid sending documents in formats allowing macros.
7.4.6 Files attached to e-mail must not contain parts of other files which do not show up with the viewer.
7.5.1 Transmission of confidential information by telephone should be avoided, especially with mobile phones.
7.6.1 ZUAR's fax or fax software may be used only by authorized personnel.
7.6.2 Fax modems of LAN workstations must not be connected to external networks.
7.7.1 Materials transferred using portable storage device or a CD must not contain any hidden data or other materials.
7.7.2 When receiving materials with portable storage device, virus check must be performed.
7.7.3 Equipment to be delivered must not contain extraneous programs or data.
7.8.1 Avoid confidential matters in public zones.
184.108.40.206 Corridor doors must be self-closing and self-locking.
220.127.116.11 The entrance to building must be locked outside of working hours.
8.1.2 Access to premises
8.1.3 Other locks
8.2.1 Room designation
8.2.2 Fire alarm system
8.2.3 Fire-fighting equipment
8.2.4 Environmental measures
8.2.5 Security of premises
8.2.6 Security of special rooms
8.2.7 Workplace security
8.2.8 Maintenance and repair work
8.3.1 Mobile equipment
8.3.2 Other devices
8.3.4 Interruptions in technical services
8.4.1 The employee who discovers the danger will contact police or emergency number 112.
8.4.2 Communication specialist will deal with network service providers.
8.4.3 On electricity issues, security officer interacts with the relevant authorities.
9.1.1 Candidates for vacant jobs should be selected on the basis of job requirements.
9.1.2 Each candidate's background must be checked from a security risk perspective.
9.2.1 On appointing to the job, new staff must carefully read the following documents and confirm their knowledge with their signature:
9.2.2 For contract workers, the appropriate security requirements must be included the contract in each case.
9.2.3 Head of department is responsible for instructing of a new employee.
9.3.1 Staff will receive notifications via the intranet news.
9.3.2 Operative security information is distributed through the inner mailing list.In this mailing list the follwing events must be announced:
Staff security training consists mainly of reading the security guides
9.5.1 By the end of the last working day, the dismissed worker must give all of its assets back to ZUAR.Department head is responsible for the take-back.
9.5.2 By the end of the last working day, all means of access (keys) and credentials must be taken away (change the passwords, remove from access control lists).Department head is responsible for the take-back, but department's information security officer will do it.
9.5.3 If necessary, the measures in 9.5.1 and 9.5.2 are taken immediately after dismissal decision.
9.6.1 In case of breach of security requirements, the offender will be prosecuted with penalties ranging from public reprimand to dismissal.
9.6.2 ZUAR directorate must make the offender to compensate caused physical damage.
9.7.1 Teleworking is entitled case by case.
9.7.2 Teleworking may be conducted only through a secure communications and in compliance with other appropriate security requirements.
9.8.1 User access rights' compliance with the real needs shall be inspected ideally twice a year.
9.9.1 Workplace and home contacts of each worker of ZUAR must be available to all employees on the intranet. Contact details are confidential.
9.9.2 External web site of ZUAR must contain the contact details of all important roles.
9.9.3 Other staff's contact information may be published online only on the employee's consent.
10.1.1 Typical time for keeping archived materials is seven years.
10.1.2 In exceptional cases, which may result from the corresponding laws (Commercial Code, Law on Archives, rules for archival), or other considerations, the time is decided by head of sub-unit.
10.2.1 Secret and confidential documents must be kept in fireproof safe.
10.2.2 Any other documents to be archived must be stored in archive room on shelves, in labeled folders and boxes.
10.2.3 The originals of technical documents must be kept in archive.
10.2.4 Other non-public documents must be kept in closed cabinets or drawers.
10.3.1 Media with secret contents must be kept in a safe.
10.3.2 Other significant (see 18.104.22.168-22.214.171.124) media should be labeled and maintained in archive.
10.4.1 Obsolete documents and data storage for disposal must be archived, and at the end of archival time physically destroyed.
10.4.2 Floppy disks must be sanitized by re-formatting before re-using them.
10.4.3 Defective media should be disposed when defects occur.
10.5.1 Inter-authority transfer and adoption of documents and media should be documented.
10.5.2 The transfer by mail or other intermediary or channel of communication must be acknowledged by receipt of the guarantee.
10.5.3 See also Section 7.4 and 7.7.
11.1.1 Data and software
11.1.2 Storage and testing of backups
11.1.4 Communication cables
11.1.7 Technical and records
See 126.96.36.199 10.1-10.3.
11.2.1 The list of possible emergencies should be reviewed at least yearly.
11.2.2 If needed, establish contracts for possible fast of delivery of replacements.
11.2.3 Resources for the unexpected actions of at least acceptable residual risk must be taken into account in drawing up the budget of ZUAR.
12.1.1 Operative monitoring
12.1.2 Random security checks
In subunits, the information security must be randomly checked at least once every two months.
12.1.3 Regular review of security
Should be performed at least once a year.
12.2.1 The security policy is changed, if so required by the security monitoring results (see 12.1).
12.2.2 The security policy is amended, if the need arises from the appearance of a new version of baseline security directory.
12.2.3 Security Council makes the amendments in all cases, in no later than one week.
12.2.4 Security changes due to security policy changes are carried out within one month.This security policy is based on the materials of Cybernetica AS.