Jun 03, 2023
BS740 - Information Security Responsibilities
Section: Business Services
SubSection: Information Security
- IT Security Team shall be chaired by the Executive Director of Information Solutions and comprised of various members in the Information Solutions department.
- All DMACC employees, administrators, students, contractors, third party users, consultants, suppliers and service providers who require access to DMACC’s information and associated assets to carry out their work are commonly termed as “users” throughout DMACC Information Security Policies Manual and procedure documents.
- All users, who need access to DMACC’s information systems environment, are responsible for ensuring that the Information Systems Security Policy and Procedures are adhered to and they operate system in such a manner as to ensure its security.
- The IT Security Team is responsible for approving the DMACC Information Systems Security Policies and supporting procedures and any modification to the policies after its enactment.
- The chair of the IT Security Team is responsible for ensuring that DMACC Information Systems Security Manual is current, reflects the requirements of DMACC and for ensuring the development of underlying standards, procedures and roles for managing security.
- Management at all levels is responsible for ensuring that staff are aware of, and adhere to, this policy manual and standards there under. Information Solution Team may also involve other department heads for their participation in training, updating the policy or implementation.
- The chair of the IT Security Team is responsible for disseminating the policies and ensuring the compliance of the policies.
- Internal audit team or trusted external audit agency shall be responsible for auditing the level of compliance with the policies on an annual basis.
Policy and Procedures Framework:
- The Policy and Procedures are high-level statements that provide guidance to DMACC management and users. The Information Solutions Policy and Procedures are also generalized requirements that must be documented and communicated to specifically identified groups internal and external to the organization. The Information Solutions Policy and Procedures are management instructions indicating a course of action, a guiding principle, or an appropriate procedure, which is appropriate and advantageous to the organization.
- DMACC’ s policy and procedures framework is composed of three tiers:
- Tier 1: This encompasses the Policy with High level policy statements
- Tier 2: Procedures with process workflows
- Tier 3: Guidelines, Forms and Templates and Measurement Metrics
- The Information systems of DMACC contain data / information pertaining to DMACC’s customers and other business entities that are fundamental for its daily operations and to render effective service to its customers and regulatory bodies. It is therefore essential that the confidentiality, integrity and availability of the information stored and processed on DMACC’s information processing systems are protected by the implementation of adequate and strong security controls at all levels.
- Part of Procedure or Process documents, contains Measurement Metrics, Forms and Templates which assist in the implementation of the policies, process and procedures
- These documents shall be reviewed and approved by the IT Security Team
The following procedures are the Information Systems Security Policy documents present at DMACC.
DMACC Information Security Procedures List
- Human Resources Security Procedure
- User Access Management Procedure
- Antivirus Procedure
- Data Backup & Recovery Procedure
- Password Security Procedure
- Patch Management Procedure
- Logging & Monitoring Procedure
- Network Security Procedure
- Mobile Computing Procedure
- E-Mail Security Procedure
- Third party & Outsourcing Security Procedure
- IT Incident Management Procedure
- Change Management Procedure
- Capacity Management Procedure
- The chair of the IT Security Team shall be responsible for reviewing DMACC Information Security Policy and Procedures manual on an annual basis to ensure that it meets legal requirements and reflects the industry best practices.
- The internal auditor /an independent officer/ or an external agency may carry out such review on a regular basis as and when required.
- Any changes/ modifications / amendments to the policy shall be discussed and approved by the IT Security Team during periodic management meetings.
Add to Portfolio (opens a new window)