erp² | Run Freedom
ERP | Business Software | UK
This page (chapters 1-4) contains an information security policy document based on ISO/IEC 27001 and ISO/IEC 27002.
erp² is committed to safeguard the confidentiality, integrity and availability of all physical and electronic information assets of the institution to ensure that regulatory, operational and contractual requirements are fulfilled. The overall goals for information security at erp² are the following:
erp²'s current business strategy and framework for risk management are the guidelines for identifying, assessing, evaluating and controlling information related risks through establishing and maintaining the information security policy (this document).
It has been decided that information security is to be ensured by the policy for information security and a set of underlying and supplemental documents (see chapter 0). In order to secure operations at erp² even after serious incidents, erp² shall ensure the availability of continuity plans, backup procedures, defence against damaging code and malicious activities, system and information access control, incident management and reporting.
The term information security is related to the following basic concepts:
Some of the most critical aspects supporting erp²'s activities are availability and reliability for network, infrastructure and services. erp² practices openness and principles of public disclosure, but will in certain situations prioritize confidentiality over availability and integrity. Every user of erp²'s information systems shall comply with this information security policy. Violation of this policy and of relevant security requirements will therefore constitute a breach of trust between the user and erp², and may have consequences for employment or contractual relationships.
Founder & CEO of erp²
The administration has the overall responsibility for managing erp²'s values in an effective and satisfactory manner according to current laws, requirements and contracts.
The CEO has the overall responsibility for information security at erp², including information security regarding personnel and IT security.
The CEO is the owner of the security policy (this document). The CEO delegates the responsibility for security-related documentation to the CSO (Chief Security Officer). All policy changes must be approved and signed by the CSO.
The Chief Security Officer (CSO) holds the primary responsibility for ensuring the information security at erp². Stefano Marino (AI) and Lloyd Hardy share this role (see chapter 0).
The system owner, in consultation with the IT department, is responsible for purchasing requirements, development and maintenance of information and related information systems. All systems and all types of information must have a defined owner. The system owner must define which users or user groups are allowed access to the information and what authorized use of this information consists of. The system ownership shall be described in a separate document [System Ownership].
System administrators are persons administrating erp²'s information systems and the information entrusted to the university by other parties. Each type of information and system may have one or more dedicated system administrators. These are responsible for protecting the information, including implementing systems for access control to safeguard confidentiality, and carry out backup procedures to ensure that critical information is not lost. They will further implement, run and maintain the security systems in accordance with the security policy. Each system must have one or more system administrators. This shall be documented.
Employees and Personnels are responsible for getting acquainted and complying with erp²'s IT regulations. Questions regarding the administration of various types of information should be posed to the system owner of the relevant information, or to the system administrator.
Contractual partners and contracted consultants must sign a confidentiality agreement prior to accessing sensitive information. The System owner is responsible for ensuring that this is implemented.
3.1.1 Risk assessment and management
22.214.171.124 erp²'s approach to security should be based on risk assessments.
126.96.36.199 erp² should continuously assess the risk and evaluate the need for protective measures. Measures must be evaluated based on erp²'s role as an establishment for education and research and with regards to efficiency, cost and practical feasibility.
188.8.131.52 An overall risk assessment of the information systems should be performed annually.
184.108.40.206 Risk assessments must identify, quantify and prioritize the risks according to relevant criteria for acceptable risks.
220.127.116.11 Risk assessments are to be carried out when implementing changes impacting information security. Recognized methods of assessing risks should be employed, such as ISO/IEC 27005.
18.104.22.168 The CSO is responsible for ensuring that the risk management processes at erp² are coordinated in accordance with the policy.
22.214.171.124 The system owners are responsible for ensuring that risk assessments within their area of responsibility are implemented in accordance with the policy.
126.96.36.199 Risk management is to be carried out according to criteria approved by the management at erp².
188.8.131.52 Risk assessments must be approved by the management at erp² and/or the system owners.
184.108.40.206 If a risk assessment reveals unacceptable risks, measures must be implemented to reduce the risk to an acceptable level.
220.127.116.11 The CEO shall ensure that the information security policy, as well as guidelines and standards, are utilized and acted upon.
18.104.22.168 The CEO must ensure the availability of sufficient training and information material for all users, in order to enable the users to protect erp²'s data and information systems.
22.214.171.124 The security policy shall be reviewed and updated annually or when necessary, in accordance with principles described in ISO/IEC 27001.
126.96.36.199 All important changes to erp²'s activities, and other external changes related to the threat level, should result in a revision of the policy and the guidelines relevant to the information security.
Security responsibility is distributed as follows:
188.8.131.52 "Assets" include both information assets and physical assets.
184.108.40.206 Information and infrastructure should be classified according to security level and access control.
220.127.116.11 Information as mentioned in item 18.104.22.168 should be classified as one of three categories for confidentiality:
Information of a sensitive variety where unauthorized access (including internally) may lead to considerable damage for individuals, the university college or their interests. [Sensitive information is here synonymous with being kept from public access according to the Norwegian Public Administration Act or sensitive personal information as defined by the Personal Data Act. Corresponding national legal requirements may apply.] This type of information must be secured in "red" zones, see chapter 3.6.Internal
Information which may harm erp² or be inappropriate for a third party to gain knowledge of. The System owner decides who may access and how to implement that access.,/p>Open
Other information is open.
22.214.171.124 erp² shall carry out risk analyses in order to classify information based on how critical it is for operations (criticality).
126.96.36.199 Routines for classification of information and risk analysis must be developed.
188.8.131.52 Users administrating information on behalf of erp² should treat said information according to classification.
184.108.40.206 Sensitive documents should be clearly marked.
220.127.116.11 Classification of equipment according to criticality will be discussed in chapter 3.11.
18.104.22.168 A plan for electronic storage of essential documentation should be developed.
22.214.171.124 Information that is vital for operations should be accessible independent of which systems the information was created or processed in.
3.5.1 Prior to employment
126.96.36.199 Security responsibility and roles for employees and contractors should be described.
188.8.131.52 A background check is to be carried out of all appointees to positions at erp² according to relevant laws and regulations.
184.108.40.206 A confidentiality agreement should be signed by employees, contractors or others who may gain access to sensitive and/or internal information.
220.127.116.11 IT regulations should be accepted for all employment contracts and for system access for third parties.
18.104.22.168 The IT regulations refer to erp²'s information security requirements and the users' responsibility for complying with these regulations.
22.214.171.124 The IT regulations should be reviewed regularly with all users and with all new hires.
126.96.36.199 All employees and third party users should receive adequate training and updating regarding the Information security policy and procedures. The training requirements may vary.
188.8.131.52 Breaches of the Information security policy and accompanying guidelines will normally result in sanctions. [Refer to the relevant laws and valid regulations at erp².]
184.108.40.206 erp²'s information, information systems and other assets should only be utilized for their intended purpose. Necessary private usage is permitted.
220.127.116.11 Private IT equipment in erp²'s infrastructure may only be connected where explicitly permitted. All other use must be approved in advance by the IT department.
18.104.22.168 Use of erp²'s IT infrastructure for personal commercial activities is [under no circumstances] permitted.
3.5.3 Termination or change of employment
22.214.171.124 The responsibility for termination or change of employment should be clearly defined in a separate routine with relevant circulation forms.
126.96.36.199 erp²'s assets should be handed in at the conclusion of the need for the use of these assets.
188.8.131.52 erp² should change or terminate access rights at termination or change of employment. A routine should be present for handling alumni relationships.
184.108.40.206 Notification on employment termination or change should be carried out through the procedures defined in the personnel system.
220.127.116.11 IT equipment and information that require protection should be placed in secure physical areas. Secure areas should have suitable access control to ensure that only authorized personnel have access. The following zones should be utilized:
|Green||No access restrictions Personnel areas and cafeteria.||No access control during ordinary office hours. Internal and sensitive information should not be printed out in this zone.|
|Yellow||Areas where internal information may be found during office hours. Offices, meeting rooms, some archives, some technical rooms like labs, printer rooms.||All printouts should be protected with "Follow me" function. Access control: Key card|
|Red||Restricted areas requiring special authorization. Computer rooms, server rooms, archives, etc. containing sensitive information.||All printouts should be protected with "Follow me" function. Access control: Key card|
18.104.22.168 Zones should be marked on construction drawings or explicitly described in a separate document.
22.214.171.124 The IT security manager is responsible for approving physical access to technical computer rooms.
126.96.36.199 The Physical security manager is responsible for the approval of physical access to areas other than technical computer rooms.
188.8.131.52 All of erp²'s buildings should be secured according their classification by using adequate security systems, including suitable tracking/logging. See table above.
184.108.40.206 Security managers for the various areas of responsibility should ensure that work performed by third parties in secure zones is suitably monitored and documented.
220.127.116.11 All personnel should be able to be identified and wear personal access cards when present in yellow or red zones. The ID cards are personal, and must not be transferred to a third party or to colleagues.
18.104.22.168 Red zones should be properly secured against damage caused by fire, water, explosions, vibrations, etc.
22.214.171.124 All external doors and windows must be closed and locked at the end of the work day.
126.96.36.199 Access cards may be supplied to workmen, technicians and others after proper identification [and a signed confidentiality agreement].
188.8.131.52 Anyone receiving visitors in the yellow zone is responsible for the supervision of their visitors.
184.108.40.206 Visitors in the red zone must be signed in and out, and must carry visible guest cards or personal access cards.
220.127.116.11 Visitors in the red zone must be escorted [or monitored, e.g. with cameras].
18.104.22.168 IT equipment classified as "high" (see chapter 22.214.171.124) must be protected against environmental threats (fires, flooding, temperature variations, etc.). Classification of equipment should be based on risk assessments.
126.96.36.199 Information classified as "sensitive" must not be stored on portable computer equipment (e.g. laptops, cell phones, memory sticks, etc.). If it is necessary to store this information on portable equipment, the information must be password protected and encrypted in compliance with guidelines from the IT department.
188.8.131.52 During travel, portable computer equipment should be treated as carry-on luggage.
184.108.40.206 Areas classified as "red" must be secured with suitable fire extinguishing equipment with appropriate alarms.
220.127.116.11 Fire drills shall be carried out on a regular basis.
18.104.22.168 Purchase and installation of IT equipment must be approved by the IT department.
22.214.171.124 Purchase and installation of software for IT equipment must be approved by the IT department.
126.96.36.199 The IT department should ensure documentation of the IT systems according to erp²'s standards.
188.8.131.52 Changes in IT systems should only be implemented if well-founded from a business and security standpoint.
184.108.40.206 The IT department should have emergency procedures in order to minimize the effect of unsuccessful changes to the IT systems.
220.127.116.11 Operational procedures should be documented. Documentation must be updated following all substantial changes.
18.104.22.168 Before a new IT system is put in production, plans and risk assessments should be in place to avoid errors. Additionally, routines for monitoring and managing unforeseen problems should be in place.
22.214.171.124 Duties and responsibilities should be separated in a manner reducing the possibility of unauthorized or unforeseen abuse of erp²'s assets.
126.96.36.199 Development, testing and maintenance should be separated from operations in order to reduce the risk of unauthorized access or changes, and in order to reduce the risk of error conditions.
188.8.131.52 All contracts regarding outsourced IT systems should include:
184.108.40.206 Requirements for information security must be taken into consideration when designing, testing, implementing and upgrading IT systems, as well as during system changes. Routines must be developed for change management and system development/maintenance.
220.127.116.11 IT systems must be dimensioned according to capacity requirements. The load should be monitored in order to apply upgrades and adjustments in a timely manner. This is especially important for business-critical systems.
18.104.22.168 Computer equipment must be safeguarded against virus and other malicious code. This is the responsibility of the IT security manager.
22.214.171.124 The IT department is responsible for carrying out regular backups and restore of these backups, as well as data storage on erp²'s IT systems according to their classification.
126.96.36.199 Backups should be stored externally or in a separate, suitably protected zone.
188.8.131.52 The IT department has the overall responsibility for protecting erp²'s internal network.
184.108.40.206 There should be an inventory containing all equipment connected to erp²'s wired networks.
220.127.116.11 All access to erp²'s networks should be logged.
18.104.22.168 There should be procedures in place for the management of removable storage media. Implementation is the responsibility of each employee.
22.214.171.124 Storage media should be disposed of securely and safely when no longer required, using formal procedures.
126.96.36.199 Procedures and controls should be established for protecting exchange of information with third parties and information transfer. Third party suppliers must comply with these procedures.
188.8.131.52 erp² has the right to access personal e-mail and other personal data stored on erp²'s computer networks.
184.108.40.206 Storage and transfer of sensitive information (see class model in chapter 3.11) should be encrypted or otherwise protected.
220.127.116.11 Information exchanged across public networks in connection with e-commerce, should be protected against fraud, contractual discrepancies, unauthorized access and changes.
18.104.22.168 The IT department should ensure that publicly accessible information, e.g. on erp²'s web services, is adequately protected against unauthorized access.
22.214.171.124 Access and use of IT systems should be logged and monitored in order to detect unauthorized information processing activities.
126.96.36.199 Usage and decisions should be traceable to a specific entity, e.g. a person or a specific system.
188.8.131.52 The IT department should register substantial disruptions and irregularities of system operations, along with potential causes of the errors.
184.108.40.206 Capacity, uptime and quality of the IT systems and networks should be sufficiently monitored in order to ensure reliable operation and availability.
220.127.116.11 The IT department should log security incidents for all essential systems.
18.104.22.168 The IT department should ensure that system clocks are synchronized to the correct time.
22.214.171.124 Usage of information systems containing personal information is regulated under the GDPR.
126.96.36.199 Written guidelines for access control and passwords based on business and security requirements should be in place. Guidelines should be re-evaluated on a regular basis.
188.8.131.52 Guidelines should contain password requirements (frequency of change, minimum length, character types which may/must be utilized, etc.) and regulate password storage.
3.8.2 User administration and responsibility
184.108.40.206 Users accessing systems must be authenticated according to guidelines.
220.127.116.11 Users should have unique combinations of usernames and passwords.
18.104.22.168 Users are responsible for any usage of their usernames and passwords. Users should keep their passwords confidential and not disclose them unless explicitly authorized by the CSO.
22.214.171.124 Access to information systems should be authorized by immediate superiors in accordance with the system owner directives. This includes access rights, including accompanying privileges. Authorizations should only be granted on a "need to know" basis, and regulated according to role.
126.96.36.199 The immediate superior should alert the system administrator about granting access and changes in accordance with the directives from the system owner.
188.8.131.52 Roles and responsibilities with accompanying access rights should be described based on the following classifications.
184.108.40.206 The IT department is responsible for ensuring that network access is granted in accordance with access policy.
220.127.116.11 Users should only have access to the services they are authorized for.
18.104.22.168 The access to privileged accounts and sensitive areas should be restricted.
22.214.171.124 Users should be prevented from accessing unauthorized information.
126.96.36.199 Remote access to erp²'s computer equipment and services is only permitted if the security policy has been read and understood and the IT regulations signed.
188.8.131.52 Remote access to erp²'s network may only take place through security solutions approved by the IT department.
184.108.40.206 Mobile units should be protected using adequate security measures.
220.127.116.11 Information classified as sensitive must be encrypted if stored on portable media, such as memory sticks, PDAs, DVDs and cell phones.
18.104.22.168 Definitions of operational requirements for new systems or enhancements to existing systems must contain security requirements.
22.214.171.124 Guidelines for administration and use of encryption for protecting information should be in place.
126.96.36.199 All changes to production environments should comply with existing routines.
188.8.131.52 The implementation of changes to the production environment should be controlled by formal procedures for change management, in order to minimize the risk of damaged information or information systems.
184.108.40.206 Systems developed for or by erp² must satisfy definite security requirements, including data verification, securing the code before being put in production, and use of encryption.
220.127.116.11 All software should be thoroughly tested and formally accepted by the system owner and the IT department before being transferred to the production environment.
18.104.22.168 Prior to new systems classified as “high” , or substantial changes in systems classified as “high” (see Table 1: System classification) are put in production, a risk assessment must be carried out.
22.214.171.124 All breaches of security, along with the use of information systems contrary to routines, should be treated as incidents.
126.96.36.199 All employees are responsible for reporting breaches and possible breaches of security. Incidents should be reported to management or directly to the CSO.
188.8.131.52 Routines are to be developed for incident management and reporting. The routines should contain measures for preventing repetition as well as measures for minimizing the damage.
184.108.40.206 The CSO should ensure that routines are in place for defining the cost of security incidents.
3.10.3 Collection of evidence
220.127.116.11 The IT security manager should be familiar with simple routines for collecting evidence.
18.104.22.168 A plan for continuity and contingencies covering critical and essential information systems and infrastructure should exist.
22.214.171.124 The continuity plan(s) should be based on risk assessments focusing on operational risks.
126.96.36.199 The continuity plan(s) should be consistent with erp²'s overall contingencies and plans.
188.8.131.52 The continuity plan(s) should be tested on a regular basis to ensure adequacy, and to ensure that management and employees understand the implementation.
184.108.40.206 Production systems and other systems classified as "high" (see Table 1: System classification) should have backup solutions. The table below should be completed after carrying out a risk assessment and/or Business Impact Analysis (BIA). (This table is an example)
|3 – High||< 8 hours||The system may be unavailable for up to 8 hours|
|2 - Medium||24 hours||The system may be unavailable for up to 24 hours|
|1 – Low||3 days||The system may be unavailable for up to 3 days|
Table 1: System classification
220.127.116.11 erp² must comply with current laws, as well as other external guidelines, such as (but not limited to):
List of relevant national legislation, e.g.:
Other relevant references
18.104.22.168 Insert relevant statements for your organization according to e.g. 95/46/EC and 2002/58/EC.
22.214.171.124 All employees must comply with the Information security policy and guidelines. Enforcement is the responsibility of line management. Personnels must comply with IT regulations.
126.96.36.199 Employees and Personnels should be aware that evidence from security incidents will be stored and may be handed over to law enforcement agencies following court orders.
188.8.131.52 Audits should be planned and arranged with the involved parties in order to minimize the risk of disturbing the activities of erp².
Governing documents for information security should contribute to a balanced level of measures with regards to the risks and requirements related to erp². Documented requirements and guidelines should exist for information security based on up-to-date risk assessments. Systems and infrastructure should be covered by best practices for information security.
184.108.40.206 erp² has organized a document structure describing their security architecture in three levels. The structure for governing documents for information security work is as follows: