Professional Documents
Culture Documents
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 2 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
Approved By Chairman
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 3 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 4 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
1 Table of Contents
4.1.3 Background 10
4.2.3 Background 15
4.3.2 Applicability 20
4.3.3 Background 20
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 5 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.4.3 Background 23
4.5.3 Background 26
4.6.3 Background 29
4.7.3 Background 31
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 6 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.8.3 Background 36
4.9.3 Background 42
4.10.3 Background 49
4.11.3 Background 54
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 7 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.12.3 Background 65
4.13.3 Background 71
4.14.3 Background 77
4.15.3 Background 81
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 8 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
7 REFERENCES .............................................................................................................................................................. 91
8 APPENDICES .............................................................................................................................................................. 92
8.1 DEFINITIONS .....................................................................................................................................................................92
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 9 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
2 EXECUTIVE SUMMARY
As cyber threats, such as hacktivism and cybercrime evolve, so must our efforts to defend
against them in a coordinated and systematic manner. To align and direct national
cybersecurity efforts, the UAE Government created the National Electronic Security
Authority (NESA) which developed the UAE Information Assurance (IA) Standards to
improve our national cybersecurity, and protect our national information and
communications infrastructure.
The adoption of these Standards by important UAE government entities like ADWEA
shall help in developing a trusted digital environment for businesses and individuals
across the nation.
To this effect the ADWEA Information Security Policies have been established to clearly
articulate what business policies shall be followed to improve our information security
posture as it relates to the protection of its people and information.
It is important to note that the ADWEA Security Policies are based upon IAS standards
set by NESA which is a recognized and respected IS security standard developed for
protection of critical infrastructures across UAE.
3 GENERAL APPLICABILITY
This policy is applicable to all ADWEA information assets, including (but not limited to)
all services, processes, and systems managed by Information Technology and Operation
Technology Departments, unless specific overriding scopes are identified under specific
policy elements / sub elements.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 10 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4 IT POLICY ELEMENTS
This policy protects the information used to conduct ADWEAs business and the systems
that support this information. The high-level objectives of this information policy are:
Maintaining the confidentially of sensitive information
Successful management of the information security risks within the entity
Efficient management of information security process
Compliance with sector or national requirements
This policy is applicable to all ADWEA information, including (but not limited to) all
services, processes, and systems managed by Information Technology and Operation
Technology Departments.
4.1.3 Background
We believe that Information Security is critical for establishing trust between our
customers, business partners, and employees. It is one of the fundamental requirements
to ensure integrity and timely availability of information for serving our customers
efficiently and effectively, ensure legal compliance and to prevent unauthorized access to
our business systems and data.
These polices provide information that communicates the direction to be followed in
securing the organization.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 11 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 12 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.1.5.1 The CEO shall ensure that the information security policy, as well as guidelines and standards,
are utilized and acted upon by delegating the responsibility appropriately down the line while
remaining accountable.
4.1.5.2 The CEO/VP-IT must ensure the availability of sufficient training and information material for all
users, to enable the users to protect ADWEA's data and information systems.
4.1.5.3 The security policy shall be reviewed and updated annually or when necessary, in accordance
with principles described in NESA UAE Information Assurance Standards.
4.1.5.4 All important changes to ADWEA's activities, and other external changes related to the threat
level, shall result in a revision of the policy and the guidelines relevant to the information security.
4.1.5.5 It is the organizations policy that the information it manages shall be appropriately secured to
protect against the consequences of breaches of confidentiality, failures of integrity or
interruptions to the availability of that information.
4.1.5.6 This information security policy provides management direction and support for information
security across the organization. Specific, subsidiary information security policies shall be
considered part of this information security policy and shall have equal standing.
4.1.5.7 This policy has been ratified by the organization and forms part of its policies and procedures,
including its Regulations for Conduct. It is applicable to and will be communicated to staff and
other relevant parties.
4.1.5.8 This policy shall be reviewed and updated regularly to ensure that it remains appropriate in the
light of any relevant changes to the law, organizational policies or contractual obligations.
4.1.5.9 To determine the appropriate levels of security measures applied to information systems, a
process of risk assessment shall be carried out for each system to identify the probability and
impact of security failures.
4.1.5.10 To manage information security within the organization an information security oversight
committee shall be established, chaired by a senior officer and comprising appropriate senior
organizational managers. The objective of this group shall be to ensure that there is clear
direction and visible management support for security initiatives.
4.1.5.11 This oversight group shall promote security through appropriate commitment and adequate
resourcing.
4.1.5.12 An information security working party, comprising management representatives from all relevant
parts of the organization, shall devise and coordinate the implementation of information security
controls.
4.1.5.13 The responsibility for ensuring the protection of information systems and ensuring that specific
security processes are carried out shall lie with the head of the department managing that
information system.
4.1.5.14 Specialist advice on information security shall be made available throughout the organization.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 13 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.1.5.15 The organization will establish and maintain appropriate contacts with other organizations, law
enforcement authorities, regulatory bodies, and network and telecommunications operators in
respect of its information security policy.
4.1.5.16 The implementation of the information security policy shall be reviewed independently of those
charged with its implementation.
4.1.5.17 Violations of this policy, including failure to report non-compliance, can result in disciplinary
action as described in the exceptions process.
Typically, the senior most management has the overall responsibility for managing
values in any organization in an effective and satisfactory manner as per current laws,
regulations or contracts.
In the context of information security within ADWEA , the CEO has the overall
responsibility for information security at ADWEA.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 14 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.1.6.1 Owner of the security policy - The CEO is the owner of the security policy (this document). The
CEO delegates the responsibility for security-related documentation to the CISO (Chief
Information Security Officer). All policy changes must be approved and signed by the CISO.
4.1.6.2 CISO (Chief Information Security Officer) - The CISO holds the primary responsibility for
ensuring the information security at ADWEA.
4.1.6.3 System/Process owner- The system/process owner, (typically department or function heads) in
consultation with the IT department, is responsible for the purchasing requirements, development
and maintenance of information and related information systems. All systems and all types of
information must have a defined owner. The system owner must define which users or user
groups are allowed access to the information and what authorized use of this information
consists of. The system ownership shall be described / identified in a separate document.
4.1.6.4 System administrator- System administrators are persons administrating ADWEAs information
systems and the information entrusted to the entity by other parties. Each type of information and
system may have one or more dedicated system administrators. These are responsible for
protecting the information, including implementing systems for access control to safeguard
confidentiality, and carry out backup procedures to ensure that critical information is not lost.
They will further implement, run and maintain the security systems in accordance with the
security policy. Each system must have one or more system administrators. This shall be
documented.
4.1.6.5 Users -Employees are responsible for getting acquainted and complying with ADWEAs IT
regulations and policies. Questions regarding the administration of various types of information
shall be posed to the system owner of the relevant information, or to the system administrator.
4.1.6.6 Consultants and contractual partners- Contractual partners and contracted consultants must
sign a confidentiality agreement prior to accessing sensitive information. The System owner is
responsible for ensuring that this is implemented.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 15 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
To ensure that a current and complete information risk profile exists for
technology, applications and infrastructure within the enterprise.
Ensure that the entitys risk appetite and tolerance are understood,
articulated and communicated internally.
To ensure that these risks are treated in accordance with the information
security requirements and objectives of the entity which are aligned with the
NESA requirements.
4.2.3 Background
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 16 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.2.5.1 ADWEA will use the NESA IAS as its framework for managing its IT information security risks by
establishing the context, performing IT risk assessments, implementing risk treatments and
monitoring their implementation.
4.2.5.2 There will be a formal documented and approved process and procedure associated with the IS
risk assessment, treatment and monitoring for ADWEA.
4.2.5.3 The scope of the risk assessment, treatment and monitoring shall cover all the critical services
and their supporting functions based on the information asset classification (refer to asset
management policy).
4.2.5.4 Roles and responsibilities related to the overall IS risk management for ADWEA shall be clearly
defined and communicated.
4.2.5.5 Risk impact criteria, acceptance criteria and risk evaluation criteria shall be clearly defined under
risk management standards.
4.2.5.6 The IS risk management shall be integrated with the enterprise risk management.
4.2.5.7 The IS risk management plan shall cover all the main elements as outlined below.
4.2.5.7.1 Information Risk Identification- ADWEA shall apply the information security risk
assessment process to identify risks associated with the loss of confidentiality, integrity
and availability for its critical information assets by:
a) Defining clearly the scope of the risk assessment exercise.
b) Identifying critical business functions.
c) Identifying critical information systems supporting business critical functions within the
scope and boundary of the risk assessment.
d) Identifying vulnerabilities related to the information and information systems.
e) Identify existing information security controls
f) Identifying threats and threat sources
g) Identifying the risk owners
h) And finally documenting the results of the risk identification.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 17 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.2.5.7.2 Information Risk Analysis and Evaluation- Based on the risk identified ADWEA shall
do a proper risk analysis and evaluation to identify and document the business impact
of the risk exposure. The following essentials need to be considered.
i) Assess the potential consequences that would result if the identified risks were to
materialize by assessing the consequences of losses of confidentiality, integrity or
availability
j) Assess the realistic likelihood of the occurrence of the identified risks based on the existing
controls, identified vulnerabilities and threats.
k) Determine the overall levels of risk.
l) Document the results of the risk analysis
m) Establish priorities for treatment of the identified risks.
n) Share with national and sector authorities the results where applicable.
4.2.5.7.3 Information Risk Treatment ADWEA shall identify and plan appropriate risk
treatment for IT risks that have been assessed based on the following guidelines.
o) It shall consider the following risk treatment options and select one or more of them for
each of the risks that have been assessed during the Risk Assessment.
o Risk Reduction Reducing the risk by applying security controls
o Risk Retention Accepting the risk based on the entitys risk accepting criteria
established as per this policy.
o Risk Avoidance Avoiding the activity or condition causing the risk.
o Risk Transfer Transferring the risk to another party.
p) It shall identify all controls that are necessary to implement the information security risk
treatment option(s) chosen.
o It will utilize the controls mentioned under the NESA IAS as a starting point for
control identifications and may expand on it.
o It will ensure that no controls are overlooked by producing the Statement of
Applicability for the risk treatment.
o It will identify controls in addition to the controls suggested by NESA that may be
specific to the entity or the sector.
q) ADWEA shall then formulate a risk treatment plan which will clearly identify the
following.
o Appropriate management actions
o Resources required
o Responsibilities and priorities for managing information security risks.
o Target dates for implementation of the identified controls.
o The document for the risk treatment plan.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 18 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.2.5.7.4 Monitoring of Information security risk management ADWEA shall plan and
document the process for the review and update of the risk assessment and treatment;
this shall include planned reviews and updates as well as ad hoc updates if significant
changes occur.
r) ADWEAs monitoring and review processes shall encompass all aspects of the risk
management process and shall take account of changes in:
o A. The entity itself
o B. Technology used
o C. Business objectives and processes
o D. Risk criteria and the risk assessment process
o E. Assets and consequences of losses of confidentiality, integrity
o or availability
o F. Identified threats;
o G. Identified vulnerabilities
o H. Effectiveness of the implemented controls
o I. External events, such as changes to the legal or regulatory environment, changed
contractual obligations, and changes in social climate.
s) ADWEA shall monitor security incidents that might trigger the risk assessment process.
t) Responsibilities for monitoring and review shall be clearly defined and documented.
4.2.5.7.5 Communication of Information security risks- ADWEA shall communicate and
consult risk information obtained during and after risk management activities with all
stakeholders involved.
u) It will establish and use a formal risk communication plan for communicating risk
information with key stakeholders including decision-makers within the entity during all
stages of the risk management process.
Typically, the senior most management has the overall responsibility for managing
risks in any organization as per current laws, regulations or contracts.
In the context of risks associated with IT within ADWEA , the CEO has the overall
responsibility for managing the information based risk exposure of ADWEA.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 19 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.2.6.1 Owner of the security policy - The CEO is the owner of the IS risk management policy. The CEO
can delegate the responsibility for managing IT related risks to the CISO (Chief Information
Security Officer). In that case all policy changes related to IT Risk must be approved and signed
by the CISO.
4.2.6.2 CISO (Chief Information Security Officer)- The CISO holds the primary responsibility for ensuring
that the Information security risk management policy is implemented and enforced at ADWEA,
based on a delegated authority by the CEO.
4.2.6.3 System administrator- System administrators are persons administrating ADWEAs information
systems and the information entrusted to the entity by other parties. Each type of information and
system may have one or more dedicated system administrators. These are responsible for
protecting the information, including implementing systems for access control to safeguard
confidentiality, and carry out backup procedures to ensure that critical information is not lost.
They will further implement, run and maintain the security systems in accordance with this policy.
4.2.6.4 Users -Employees are responsible for getting acquainted and complying with ADWEAs IT
regulations and policies. Questions regarding the administration of various types of information
shall be posed to the system owner of the relevant information, or to the system administrator.
4.2.6.5 Consultants and contractual partners- Contractual partners and contracted consultants must sign
a confidentiality agreement prior to accessing sensitive information. The System owner is
responsible for ensuring that this is implemented.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 20 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This policy specifies an information security awareness and training program to inform and motivate all
workers regarding their information security obligations.
4.3.2 Applicability
This policy applies throughout the organization as part of the corporate governance framework. It applies
regardless of whether or not workers use the computer systems and networks, since workers are expected to
protect all forms of information asset including computer data, written materials/paperwork and intangible
forms of knowledge and experience. This policy also applies to third party employees working for the
organization whether they are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound
(e.g. by generally held standards of ethics and acceptable behavior) to comply with our information security
policies.
4.3.3 Background
Technical IT security controls are a vital part of our information security framework but are not in
themselves sufficient to secure all our information assets. Effective information security also requires the
awareness and proactive support of all workers, supplementing and making full use of the technical security
controls. This is obvious in the case of social engineering attacks and frauds, for example, which specifically
target vulnerable humans rather than IT and network systems. Lacking adequate information security
awareness, workers are less likely to recognize or react appropriately to information security threats and
incidents, and are more likely to place information assets in danger through ignorance and carelessness.
Whereas awareness implies a basic level of understanding about a broad range of information security
matters, training implies more narrowly-focused and detailed attention to one or more specific topics.
Training tends to be delivered through classroom or online courses, while awareness tends to be delivered by
multiple communications methods such as seminars, case studies, written briefing and reference materials
(for self-motivated study), posters and conversations. Awareness provides the foundation level of knowledge
and understanding for training to build upon. In other words, security awareness and training are
complementary approaches.
In order to protect information assets, all workers must be informed about relevant, current information
security matters, and motivated to fulfill their information security obligations.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 21 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.3.5.1 An information security awareness program shall ensure that all workers achieve and maintain at
least a basic level of understanding of information security matters, such as general obligations
under various information security policies, standards, procedures, guidelines, laws, regulations,
contractual terms and plus generally held standards of ethics and acceptable behavior.
4.3.5.2 Additional training is mandated for workers with specific obligations towards information security
that are not satisfied by basic security awareness, for example Information Risk and Security
Management, Security Administration, Site Security and IT/Network Operations personnel. Such
training requirements must be identified in workers personal training plans and funded
accordingly. The training requirements will reflect workers relevant prior experience, training
and/or professional qualifications, as well as anticipated job needs.
4.3.5.3 Security awareness and training activities shall commence as soon as practicable after workers
join the organization, for instance through attending information security induction/orientation
classes. The awareness activities shall continue on a continuous/rolling basis thereafter in order
to maintain a reasonably consistent level of awareness.
4.3.5.4 Where necessary and practicable, security awareness and training materials shall suit their
intended audiences in terms of their styles, formats, complexity, technical content etc. For
example, some people prefer to read written descriptions and instructions while others prefer to
be shown things or have them demonstrated. Some like to read words, others prefer diagrams
and pictures. Non-technical workers are unlikely to understand or appreciate highly technical
awareness content, while their technical colleagues may well need the full details in order to
understand exactly what they are being asked to do. Everyone needs to know why information
security is so important, but the motivators may be different for workers concerned only about
their own personal situations or managers with broader responsibilities to the organization and
their staff.
4.3.5.5 Information Securitys intranet site shall be the focal point for security awareness, providing
information and guidance on a wide variety of information security matters. It is the definitive
source of current information security policies, standards, procedures and guidelines. However,
workers with limited intranet access must also be kept suitable informed by other means such as
seminars, briefings and courses.
4.3.5.6 A range of compliance measures must be undertaken to achieve widespread compliance with
various information security obligations. While the details vary according to the specific nature of
those obligations including the risks associated with non-compliance, management anticipates a
mixture of routine, periodic and ad hoc compliance activities such as management oversight,
reviews and audits, which may include checking workers uptake of security awareness and
training opportunities, awareness test results and other metrics.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 22 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.3.6.1 The Chief Information Security Officer/Information Security Manager is accountable for running
an effective information security awareness and training program that informs and motivates
workers to help protect the organizations information assets.
4.3.6.2 Information Security Management is responsible for developing and maintaining a
comprehensive suite of information security policies (including this one), standards, procedures
and guidelines that are to be mandated and/or endorsed by management where applicable.
Working in conjunction with other corporate functions, it is also responsible for running suitable
awareness, training and educational activities to raise awareness and aide understanding of
workers responsibilities identified in applicable policies, laws, regulations, contracts etc.
4.3.6.3 IT Help/Service Desk is responsible for helping workers on basic information security matters,
liaising with experts from functions such as Information Security Management, Site Security,
Human Resources, Risk Management, Legal and Compliance where necessary.
4.3.6.4 Managers are responsible for ensuring that their staff and other workers within their remit
participate in the information security awareness, training and educational activities where
appropriate.
4.3.6.5 Workers are personally accountable for complying with the information security related policies or
processes and any training and awareness programs conducted by ADWEA.
4.3.6.6 Internal Audit is authorized to assess compliance with this and other corporate policies at any
time.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 23 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
To increase ADWEAs assurance that personnel will contribute positively to the IT cybersecurity of the
entity by understanding their responsibilities and ensuring they are suitable for their role.
To address security requirements for each phase of the employment, contract or agreement lifecycle,
supporting HR processes such as employment, change of employment or termination.
This policy applies throughout the organization as part of the corporate governance framework. It applies
regardless of whether workers use the computer systems and networks, since workers are expected to protect
all forms of information asset including computer data, written materials/paperwork and intangible forms of
knowledge and experience. This policy also applies to third party employees working for the organization
whether they are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound (e.g. by
generally held standards of ethics and acceptable behavior) to comply with our information security
policies.
4.4.3 Background
As cited in a variety of sources, people are often described as the weakest link in any security system. It is
important to build security into the entire Human Resource (HR) process, from pre-employment, during
employment, and through termination, to ensure that policies and procedures are in place to address security
issues. Consistent training throughout the entire process ensures that employees and contractors are fully
aware of their roles and responsibilities and understand the criticality of their actions in protecting and
securing both information and facilities.
The organization's data must be protected from unauthorized access, disclosure, modification, destruction
or interference. For this to happen, the management of human resources related security and privacy risks
needs to be addressed through an appropriate security policy which ensures adherence to secure best
practices for the complete employment lifecycle within the organization.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 24 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 25 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.4.5.2.7 The disciplinary process shall be commenced only after verification that a security
breach has occurred
4.4.5.3 TERMINATION / CHANGE OF EMPLOYMENT
4.4.5.3.1 Employment termination or change of employment responsibilities shall be defined and
assigned emphasizing the communication in relation to ADWEA group information
security (including confidentiality and property rights)
4.4.5.3.2 All ADWEA group personnel shall return all of the organizations assets in their
possession upon termination of employment, contract or agreement
4.4.5.3.3 All personnel access to information and information systems shall be revoked upon
termination of their employment, contract or agreement, or adjusted upon change.
4.4.6.1 The Chief Information Security Officer/Information Security Manager is accountable for enforcing
an effective HR security policy across the organization.
4.4.6.2 Information Security Management is responsible for developing and maintaining a the HR
security policies (including this one), working in conjunction with the HR process owners.
4.4.6.3 HR Process Owners are responsible for ensuring that ADWEAs HR process and polices fully
incorporate the HR security policy elements outlined under this policy.
4.4.6.4 Workers are personally accountable for complying with the HR security related policies or
processes.
4.4.6.5 Internal Audit is authorized to assess compliance with this and other corporate policies at any
time.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 26 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
To define compliance from the perspective of ADWEAs IT policy and UAE IA standards
To increase ADWEAs assurance that all ADWEAs IT security requirements and
externally mandated requirements have been implemented and maintained where
applicable throughout the lifecycle.
The Compliance policy covers all of ADWEAs Information resources and supporting
people, processes and systems , whether managed or hosted internally or externally.
4.5.3 Background
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 27 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.5.5.1 All ADWEAs legal and contractual compliance requirements, including at sector and national
levels, shall be identified and documented, specifying the consequences of not meeting each
compliance requirement.
4.5.5.2 All employees shall comply with all national, sector and local laws and regulations for cyber
security
4.5.5.3 Execution of all IT security procedures and activities shall comply with IT security Policies and
Processes.
4.5.5.4 Any perceived violations shall be reported to the site-specific IT security focal point of and
appropriate actions shall be taken to mitigate the risks of non-compliance.
4.5.5.5 All deviations from IT policy at the site level shall be approved by site security focal point of
contact.
4.5.5.6 Compliance audits shall be conducted only by resources identified by the IT Steering Committee
on an annual basis, and shall be carefully planned and agreed upon when performed against
operational IT Systems and assets.
4.5.5.7 Information consisting of vulnerabilities and potential non-compliance shall be considered as
confidential information and shall be treated accordingly.
4.5.5.8 Information concerning such vulnerabilities and non-compliance shall be shared within ADWEA
only on a need to know basis.
4.5.5.9 IT Steering Committee shall be informed of all potential vulnerabilities and non-compliance
issues on a regular basis and shall be accountable for providing adequate resources to mitigate
these issues.
4.5.5.10 IT Site specific focal point of contact is responsible for coordinating with IT steering committee to
make decisions regarding external communications with customers or government entities.
4.5.5.11 Individual employees shall not share any potential vulnerabilities or non-compliance issues
externally (e.g.: to media, government or customers).
4.5.6.1 As per the Roles and Responsibilities section mentioned at the end of the overall IS policy.
4.5.6.2 IS/Internal Audit is authorized to assess compliance with this policy at any time. Typical
responsibilities include:
4.5.6.2.1 Define the audit criteria, scope and audit plan for each audit
4.5.6.2.2 Select auditors and conduct audits to ensure objectivity and the impartiality of the audit
process
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 28 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.5.6.2.3 Ensure that the results of the audits are reported to relevant management
4.5.6.2.4 Document the audit program and the audit results
4.5.6.2.5 Ensure that the internal audit is effectively implemented and maintained
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 29 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
To ensure that IT security performance is measured, analyzed, evaluated and improved, where necessary to
meet changing risk factors and entity goals and objectives.
The Performance policy typically targets the information security domain within ADWEA, including all
the associated Information resources and supporting people, processes and systems.
4.6.3 Background
For the measurement of information security performance and the effectiveness of the
information security management system. The organization needs to determine the
following:
what needs to be monitored and measured, including information security processes and controls.
the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid
results
when the monitoring and measuring is to be performed.
who would monitor and measure.
when are the results from monitoring and measurement analyzed and evaluated; and
who would analyze and evaluate these results
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 30 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.6.5.1 Key security performance indicators, to evaluate the performance of ADWEAs IT security
controls and the effectiveness of the IT security management program in achieving business
goals and objectives, shall be established by IT Security Program Manager and be reviewed and
approved by the IT steering committee.
4.6.5.2 Annual compliance and operational audits shall identify and evaluate adherence to security
KPIs.
4.6.5.3 When risk factor changes (i.e. threats and vulnerabilities landscape changes) compliance and
operational audits shall identify and evaluate adherence to security KPIs.
4.6.5.4 All cyber incidents shall be analyzed to determine ineffective security controls and appropriate
compensating controls shall be put in place.
4.6.5.5 IT steering committee shall outline performance improvement plans based on successive
progression of security controls maturity and in line with companys goals and objectives.
4.6.5.6 IT Steering committee shall monitor the implementation of performance improvement plan on a
regular basis.
4.6.6.1 As per the Roles and Responsibilities section mentioned at the end of the overall IS policy.
4.6.6.2 IS/Internal Audit is responsible for assessing the performance of the Information security
program based on the KPIs set by the IT security Manager and approved by the IT steering
committee. Typical responsibilities include during any audits:
4.6.6.2.1 Define the audit criteria (ie identified KPIs), scope and audit plan for each audit
4.6.6.2.2 Select IT auditors and conduct audits to ensure objectivity and the impartiality of the
audit process
4.6.6.2.3 Ensure that the results of the audits are reported to relevant management
4.6.6.2.4 Document the audit program and the audit results
4.6.6.2.5 Ensure that the internal audit is effectively implemented and maintained
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 31 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
To ensure that all IT assets are properly classified and that the assets are appropriately managed and
protected throughout its lifecycle, per their classification.
Asset Management Policy covers all of ADWEAs Information resources and supporting systems, whether
managed or hosted internally or externally.
4.7.3 Background
An asset is defined as "an item of value". Asset management is based on the idea that it is important to
identify, track, classify, and assign ownership for the most important assets in your organization to ensure
they are adequately protected. Tracking inventory of IT hardware is the simplest example of asset
management. Knowing what you have, where it lives, how important it is, and who's responsible for it are
all-important pieces of the puzzle.
Similarly, an Information Asset is an item of value containing information. The same concepts of general
asset management apply to the management of information assets. To be effective, an overall asset
management strategy shall include information assets, software assets, and information technology
equipment.
An organization shall be able to know what physical, environmental or information assets it holds, and can
manage and protect them appropriately. Important elements to consider when developing an asset
management policy are:
Inventory (do you know what assets you have & where they are?)
Responsibility/Ownership (do you know who is responsible for each asset?)
Importance (do you know how important each asset is in relation to other assets?)
Establish acceptable-use rules for information and assets.
Establish procedures for the labeling of physical and information assets.
Establish return of asset procedures (do you have an employee exit procedure?)
Protection (is each asset adequately protected according to how important it is?)
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 32 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 33 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 34 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.7.5.3.8 Damaged industrial control devices containing sensitive data shall require a risk
assessment to determine whether items shall be physically destroyed rather than sent
for repair or discarded.
4.7.5.4 Asset Buy-back / Exchange option
4.7.5.4.1 If there is an option of buy back / exchange by the Vendor, the same can be practiced
after management approval. This must not compromise the sensitive data / information
of the organization.
4.7.6.1 CEO- The CEO shall have authority to represent the organization for the protection and security
of the information asset as ownership of Information assets is assigned to this organizational
role. CEO shall approve the Information Management / Security Policy.
The CEO may delegate full / partial ownership along with the defined responsibilities to any
officer / contractor / third party with operational rights and responsibility.
4.7.6.2 CIO (Chief Information Officer)- The CIO ensures that strategic planning processes are
undertaken so that information requirements and supporting systems and infrastructure are
aligned to legislative requirements and strategic goals. The CIO ensures that information security
policies and governance practices are established to ensure the quality and integrity of the
agencys information resources and supporting IT systems. They oversee the development of
tools, systems and information technology infrastructure to maximize the access and use of an
agencys information resources.
The Chief Information Officer is responsible for:
Interpreting the business and information needs and wants of the organization
and translating them into ICT initiatives
Setting the strategic direction for information and communications technology
and information management
Ensuring that ICT and information management investment is aligned to the
Ensuring that projects and initiatives are aligned and coordinated to deliver the best
value
Ensuring ICT planning is integrated into business planning
Identifying opportunities for information sharing and cross collaboration on projects and
initiatives.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 35 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.7.6.3 CISO- (Chief Information Security Officer) - The information security officer is responsible for
developing and implementing information security policy designed to protect information and any
supporting information systems from any unauthorized access, use, disclosure, corruption or
destruction.
The information security officer shall:
Develop policies, procedures and standards to ensure the security, confidentiality and
privacy of information that is consistent with organizational Information security policy
Monitor and report on any information intrusion incidents and activate strategies to
prevent further incidents.
Work with information custodians to ensure that information assets have been assigned
appropriate security classifications.
Maintenance and upkeep of the asset as defined by the asset owner
System Restart and recovery
Implementing any changes as per the change management procedure
Backup of the information
Updating of information asset inventory register;
Identifying the classification level of information asset;
Defining and implementing appropriate safeguards to ensure the confidentiality,
integrity, and availability of the information asset;
Assessing and monitoring safeguards to ensure their compliance and report situations
of non-compliance;
Authorizing access to those who have a business need for the information, and ensuring
access is removed from those who no longer have a business need for the information.
4.7.6.4 Data Operators / End Users - Employees, Third Parties, Contractors authorized by the Owner /
custodian to access information and use the safeguards established by the Owner / custodian.
Being granted access to information does not imply or confer authority to grant other users
access to that information. The users are bound by the acceptable usage policy of the
organization.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 36 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
Objective: To ensure the organization appropriately protects buildings and rooms to prevent unauthorized
access, damage, or interference to the information systems therein.
Objective: To ensure the organization appropriately protects information systems equipment from physical
and environmental threats.
This Policy covers all of ADWEAs IT systems, whether managed or hosted internally or externally.
4.8.3 Background
Physical and environmental security programs define the various measures or controls that protect
organizations from loss of connectivity and availability of computer processing caused by theft, fire, flood,
intentional destruction, unintentional damage, mechanical equipment failure and power failures. Physical
security measures shall be sufficient to deal with foreseeable threats and shall be tested periodically for their
effectiveness and functionality.
These are some of the fundamental elements of any Incident management program which can act as
guidelines for developing an appropriate IS incident management policy and process. They are listed below.
Determine which managers are responsible for planning, funding, and operations of physical
security of the Data Center.
Review best practices and standards that can assist with evaluating physical security controls,
such as ISO/IEC 27002:2013 / NESA IAS etc.
Establish a baseline by conducting a physical security controls gap assessment that will include
the following as they relate to your campus Data Center:
o Environmental Controls
o Natural Disaster Controls
o Supporting Utilities Controls
o Physical Protection and Access Controls
o System Reliability
o Physical Security Awareness and Training
o Contingency Plans
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 37 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.8.5.1 Secure areas : ADWEA shall take due care to prevent unauthorized physical access, damage or
interference to the organization's premises and infrastructure, using controls appropriate to the
identified risks and the value of the assets protected. The policies outlined below are geared
towards the same.
4.8.5.1.1 Physical security perimeter : Security perimeters shall be used to protect areas that
contain information and information processing facilities -- using walls, controlled entry
doors/gates, manned reception desks and other measures. The following points need
to be considered:
a) perimeter siting and strength determined by risk assessment;
b) clearly defined and marked perimeters, except in situations where hidden/disguised
perimeters would enhance security;
c) use of physically sound walls, windows and doors, protected with bars, locks, alarms
as appropriate;
d) use of additional physical barriers, where appropriate to prevent unauthorized access
or physical contamination;
e) provision of appropriate protection against fire, water or other reasonably anticipated
environmental threats;
f) use of appropriate intrusion detection systems, such as motion and perimeter alarms,
audio and video surveillance;
g) use of manned reception areas or appropriate lock/ID systems to control passage into
the restricted area;
h) measures designed with sufficient redundancy such that a single point of failure does
not compromise security; and
i) regular maintenance to and review of the adequacy of the components of these
physical protections.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 38 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.8.5.1.2 Physical entry control : Secure areas shall be protected by appropriate entry controls
to ensure that only authorized personnel are allowed access. The following points need
to be considered.
a. authentication mechanisms (e.g., keycard and PIN) proportionate to the identified risks
and the value of the asset(s) protected;
b. recording of date/time of entry and exit, and/or video recording of activities in the
entry/exit area, as appropriate;
c. requirement for authorized personnel to wear visible identification, and to report
persons without such identification;
d. appropriate authorization and monitoring procedures for third-party personnel who
must be given access to the restricted area; and
e. regular review and, when indicated, revocation of access rights (see also human
resources security.)
4.8.5.1.3 Secure offices, rooms and facilities : Physical security for offices, rooms and
facilities shall be designed and implemented. The following points need to be
considered:
a. use of measures that are commensurate to the identified risks and the value of the
assets at risk in each setting;
b. use of measures that balance relevant health, safety and related regulations and
standards;
c. use of highly visible controls, where appropriate as a deterrent;
d. use of unobtrusive or hidden controls/facilities, where appropriate for highly sensitive
assets; and
e. restrictions on information about facilities, including directory and location
information.
4.8.5.1.4 Protecting against external and environmental threats : Physical protection against
damage from fire, flood, wind, earthquake, explosion, civil unrest and other forms of
natural and man-made risk shall be designed and implemented. The following points
need to be considered:
a. consideration of probabilities of various categories of risks and value of assets
protected against those risks;
b. consideration of security threats posed by neighboring facilities and structures;
c. appropriate fire-fighting equipment and other counter-measures provided and suitably
located on site; and
d. appropriate siting of backup facilities and data copies in a suitable location off-site.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 39 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.8.5.1.5 Working in secure areas : Physical protection and guidelines for working in secure
areas shall be designed and implemented. The following points need to be considered:
a. limiting personnel's awareness of, and activities within, a secure location on a need-to-
know basis;
b. limiting or prohibiting unsupervised/unmonitored work in secure areas, both for safety
reasons and to avoid opportunities for malfeasance;
c. keeping vacant secure areas locked, subject to periodic inspection, and/or monitored
remotely as appropriate by video or other technologies;
d. limiting video, audio or other recording equipment, including cameras in portable
devices, in secure areas.
4.8.5.1.6 Public access (or any delivery and loading access) :Access points such as delivery
and loading areas, and other points where unauthorized persons may enter the
premises, shall be controlled. The following points need to be considered.
a. limits on access to the delivery and loading areas, and to other public access areas, to
the degree possible;
b. inspection of incoming and outgoing materials, and separation of incoming and
outgoing shipments, where possible; and
c. isolation of these areas from information processing facilities and areas where
information is stored, where possible.
4.8.5.2 Equipment security : ADWEA shall take due measures to prevent loss, damage, theft or
compromise of assets or interruption to the organization's activities.
4.8.5.2.1 Equipment siting and protection: Equipment shall be sited or protected to reduce the
risks from environmental threats and hazards, and to reduce the opportunities for
unauthorized access by human threats. The following points need to be considered.
a. siting to minimize unnecessary risks to the equipment, and to reduce the need for
unauthorized access to sensitive areas;
b. siting to isolate items requiring special protection, to minimize the general level of
protection required;
c. use of particularized controls as appropriate to minimize physical threats -- e.g., theft
or damage from vandalism, fire, water, dust, smoke, vibration, electrical supply
variance, or electromagnetic radiation; and
d. guidelines for eating, drinking, smoking or other activities near equipment.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 40 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 41 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.8.5.2.6 Secure disposal or re-use of equipment : All equipment containing storage media
shall be checked to ensure that sensitive data and licensed software has been
removed or securely overwritten prior to disposal. The following points need to be
considered:
a) use of generally accepted methods for secure information removal, appropriate to the
sensitivity of the information known or believed to be on the media;
b) secure information removal by appropriately trained personnel, or verification of
secure information removal by appropriately trained personnel.
4.8.5.2.7 Removal of property : Equipment, information or software shall not be taken off-
premises without prior authorization. The following points need to be considered:
c) limitations on types/amounts of information or equipment that may be taken off-site;
d) recording of off-site authorizations and inventory of equipment and information taken
off-site; and
e) for persons authorized to take equipment or information off-site, appropriate
awareness of security risks associated with off-premises environments and training in
appropriate controls and counter-measures.
As per the Roles and Responsibilities section at the end of the overall IT policy set.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 42 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This policy covers all of ADWEAs Information resources and supporting systems, whether managed or
hosted internally or externally.
4.9.3 Background
Operations security involves planning and sustaining the day-to-day rubber meets the road processes that
are critical to maintaining the security of organizations information environments. The extent and
complexity of security operations will vary between organizations based on their risk tolerances and resource
levels. However the most important aspect of operations security is that the operations themselves need to be
repeatable, reliable, and consistently performed.
To be 7 key guiding security controls for any policy / process development for Operational security are listed
below.
Operational Procedures and Responsibilities- Important operational processes include Change
Management, Capacity Management, Separation of Development, Test, and Operations
Environments.
Protection from Malware
Backups of all critical business information.
Logging and Monitoring of all critical IT systems
Control of Operational Software
Technical Vulnerability Assessment and Management
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 43 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.9.5.1 Operational procedures and responsibilities: ADWEA shall take due measures to ensure the
correct and secure operation of information processing facilities. To this effect the below
mentioned policies have been instituted.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 44 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.9.5.2 Third party delivery management: This category aims to implement and maintain the appropriate
level of information security and service delivery in the context of third-party service delivery
agreements.
4.9.5.3 System planning and acceptance : This category aims to minimize the risk of systems failures.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 45 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
o clear definition of, agreement on, testing of, and documentation of compliance with
requirements for system acceptance; and
o consultation with affected persons, or representatives of affected groups, at all phases
of the process.
4.9.5.4 Protection against malicious and mobile code: This category aims to protect the
integrity of software and information.
4.9.5.5 Back-up : This category aims to maintain the integrity and availability of organizational
information.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 46 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
o complete inventory records for the back-up copies, including content and current
location;
o complete documentation of restoration procedures for each system;
o storage of the back-ups in a remote location, at a sufficient distance to make them
reasonably immune from damage to data at the primary site;
o appropriate physical and environmental controls for the back-up copies where-ever
located;
o appropriate technical controls, such as encryption, for back-up copies of sensitive
information;
o regular testing of back-up media.
o regular testing of restoration procedures.
4.9.5.6 Network security management :This category aims to ensure the protection of information in
networks and protection of the supporting network infrastructure.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 47 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
o technical parameters and rules for secured connection with the network; and
o procedures and processes to control/restrict network access.
4.9.5.7 Media handling :This category aims to prevent unauthorized disclosure, modification, removal or
destruction of information assets, or interruptions to business activities.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 48 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
As per the Roles and Responsibilities section at the end of the overall IT policy set..
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 49 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
To ensure the protection of information in networks and its supporting information processing
facilities.
To maintain the security of information transferred within an organization and with any external
entity.
This policy covers all of ADWEAs Information resources and supporting systems, whether managed or
hosted internally or externally.
4.10.3 Background
Communications encompasses the breadth of digital data flows both within an organization and between
external entities across network infrastructures. These flows now include data, voice, video, and all their
associated signaling protocols. Securing these information flows as they traverse Intranets, Extranets, and
Internet requires effective network infrastructure management as well as controls, policies, and procedures.
When beginning the process of developing and establishing a secure communications policy/ program , the
following fundamentals must be considered and adhered to:
Develop policies and standards that support the:
o Establishment of clear authority and accountability for network management.
o Risk based segregation of groups of systems, users, and information systems
o Authority to control, actively monitor, and log traffic traversing designated ingress and
egress points.
Identify threats related to the communications environment.
o Evaluate threat scenarios and methods of network attack (reconnaissance, exploitation,
data exfiltration)
Identify the most critical systems, data, or equipment within the network.
Use routing and firewalls to define the network perimeter.
Use a border firewall and/or Intrusion Detection/Prevention devices to limit entry/exit of network
traffic.
Define the demilitarized zone of the network where the public can access limited network
resources, as well as public access points to the network such as open access ports and public
WiFi.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 50 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
Define restricted portions of the network for use by authorized staff and facility personnel; use
identity and access management controls for users and systems on the network.
Define highly restricted portions of the network such as within data centers, communications
facilities, or other highly restricted areas.
Establish information transfer policies and encryption standards that address varied needs for
confidentiality, integrity, and non-repudiation of internal and external data exchanges.
4.10.5.1 Exchange of information: This category aims to maintain the security of information and software
exchanged within an organization and with any external entity.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 51 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.10.5.2 Electronic commerce services: This category aims to ensure the security of electronic commerce
services and their secure use.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 52 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.10.5.3 Monitoring: This category aims to detect unauthorized information processing activities.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 53 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
As per the Roles and Responsibilities section at the end of the overall IT policy set.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 54 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
To cover of the stages of user access life-cycle - from determining the types and affiliation of
organizational users and their corresponding privileges to procedures to revoke and disable their
access.
To underscore the importance of the active participation of users in safeguarding the access
privileges and credentials and privileges provided to them and practices needed to prevent the
unauthorized user access and disclosure of privileged information.
To cover the mechanisms that an organization can use to ensure that only authorized users have
access to organizational computing devices.
This policy covers all of ADWEAs Information resources and supporting systems, whether managed or
hosted internally or externally.
4.11.3 Background
A basic element of any organization's information security program is the protection of information
resources that support the critical operations of the organization from unauthorized access, modification, or
disclosure. Access control is basically the use of administrative, physical, or technical security features to
manage how users and systems communicate and interact with other information resources.
The following comprise the core principles for developing an access control policy framework.
Roles and responsibilities related.
Need-to-Know: Access only to information needed to perform assigned tasks.
Need-to-Use: Access only to information resources needed to perform assigned tasks
Access levels and privileges by role
Periodic review and removal of access levels and privileges
Segregation of duties for requesting, authorizing, and reviewing access levels and privileges
What is required to identify users?
Requirement for vetting users in person
Requirement to archive records concerning user identification and credentialing
What criteria is used to determine the types of credentials used?
What criteria is used to determine the level of access to applications and services?
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 55 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.11.5.1 Business requirements for access control: The objective of this category is to control access to
information, information processing facilities, and business processes.
4.11.5.2 User access management : This category aims to ensure authorized user access, and prevent
unauthorized access, to information and information systems. It typically mandates the below:
o formal procedures to control the allocation of access rights;
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 56 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
o procedures cover all stages in the life-cycle of user access, from provisioning to de-
provisioning;
o special attention to control of privileged ("super-user") access rights; and
o appropriate technical measures for identification and authentication to ensure
compliance with defined access rights.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 57 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.11.5.3 User responsibilities : This category aims to prevent unauthorized access to, and compromise or
theft of, information and information systems. It includes user awareness of:
o responsibilities for maintaining authentication security, particularly regarding
password and token safety
o responsibilities for securing computers and other office equipment.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 58 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
o select "strong" passwords that are resistant to dictionary, brute force or other standard
attacks;
o change passwords periodically;
o change a temporary password on first log-on;
o avoid storing passwords in automated log-on processes;
o not use the same password for business and non-business purposes;
o use the same password for multiple systems/services only where a reasonable level of
security can be assured for each.
4.11.5.3.2 Access token use
Users shall follow good security practices in the use of tokens. The following points need to be considered
advising/requiring users to:
o keep tokens secure and not "share" them;
o avoid keeping a paper or electronic record of PIN associated with a two-factor token;
and
o report when a token is lost or there is any suspicion that it has been compromised.
4.11.5.3.3 Monitoring of activity history
Users shall monitor password/token activity history where available. The following points need to be
considered advising/requiring users to:
o observe and report discrepancies in "last successful login" and "last unsuccessful
login" information, when it is available; and
o observe and report discrepancies in date/time information for all other activities which
have timestamps, such as file accesses or modifications.
4.11.5.3.4 Appropriate use of user equipment
Users shall observe appropriate physical and technical practices with respect to the equipment assigned to
them. The following points need to be considered:
o requirement to limit use to performing appropriate functions in an appropriate manner;
and
o user training in appropriate functions and use; and
o monitoring of user behavior through appropriate technical means.
4.11.5.3.5 Unattended user equipment
Users shall ensure that unattended computing equipment has appropriate protection. Unattended equipment
controls mandated by this policy includes but is not limited to:
o terminating active (logged-in) sessions before a device is left unattended, unless it can
be securely "locked" (e.g., with a password-protected screensaver);
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 59 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
o physically securing devices, or the area in which a device is located, with a key-lock or
equivalent if a device will be unattended.
4.11.5.4 Network access control : The purpose of this section is to outline policies that support prevention
of unauthorized access to network services.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 60 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.11.5.5 Operating system access control : The purpose of this section is to outline policies that support
prevention of unauthorized access to operating systems, and the data and services thereof.
Controls shall be implemented to restrict data system access to authorized users, by requiring authentication
of authorized users in accordance with the defined access control policy. Controls include:
o providing mechanisms for authentication by knowledge-, token- and/or biometric-
factor methods as appropriate;
o recording successful and failed system authentication attempts;
o recording the use of special system privileges; and
o issuing alarms when access security controls are breached.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 61 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 62 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.11.5.6 Application and information access control : This category aims to prevent unauthorized access
to information held in application systems.
4.11.5.7 Mobile computing and teleworking : This category aims to ensure information security when
using mobile computing and teleworking facilities. Controls shall be implemented that are
commensurate with the:
o type of user(s);
o setting(s) of mobile/teleworking use; and
o sensitivity of the applications and data being accessed from mobile/teleworking
settings.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 63 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
and "smart" phone-PDAs; and portable storage devices and media. Controls include requirements for
ensuring:
o physical protection;
o data storage minimization;
o access controls;
o cryptographic techniques;
o data backups;
o anti-virus and other protective software;
o operating system and other software updating;
o secure communication (e.g., VPN) for remote access; and
o sanitization prior to transfer or disposal.
4.11.5.7.2 Teleworking
Under this policy element appropriate standards , procedures and security measures shall be adopted or
developed, for "teleworking" activities in off-premises locations. The following points need to be
considered:
o physical security measures at the off-premises site;
o appropriate access controls, given reasonably anticipated threats from other users at
the site (e.g., family members);
o cryptographic techniques for data storage at and communications to/from the site;
o data backup processes and security measures for those backup copies;
o security measures for wired and wireless network configurations at the site;
o policies regarding intellectual property used or created at the site, including software
licensing;
o policies regarding organizational property used at the site (e.g., organizations'
computing hardware);
o policies regarding private property used at the site (e.g., teleworkers' computing
hardware);
o insurance coverage or other specification of financial responsibility for equipment
repair or replacement.
As per the Roles and Responsibilities section at the end of the overall IT policy set.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 64 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 65 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
To ensure that third parties adequately secure the information and technology resources that they access,
process, and manage. This includes information sharing, defining legal obligations, and ensuring non-
disclosure agreements are executed to protect confidential information.
To ensure that supplier agreements are established and documented so that there is no misunderstanding
regarding both parties' obligations to fulfill relevant security requirements.
This policy covers all ADWEAs Information resources and supporting systems, whether managed or hosted
internally or externally.
4.12.3 Background
External 3rd party suppliers are a vital component of business operations. Suppliers may have access to a
wide range of information from the supported organization. Once shared with a supplier, direct control of
this information is lost, regardless of sensitivity or value. As a result, appropriate technical and contractual
controls and mitigation processes must be established with all external suppliers.
When beginning the process of developing and establishing a 3rd party security policy/ program, the
following fundamentals must be considered and adhered to:
Identify and document various suppliers and the types of information that they access or
manipulate.
Identify current policies and standards that describe or include third party responsibilities and any
compliance requirements associated with external providers (e.g., HIPAA, PCI DSS, NESA, ISO
27000).
Review data classification standards and how these relate to the suppliers and information that
they handle. Where applicable it shall be ensured that information security and data protection
clauses are included in any supplier contracts.
Review or develop a supplier lifecycle process, including initial reviews, monitoring, validation,
and ongoing assessments.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 66 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 67 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 68 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.12.5.4.1 Once operations of service providers have started, ADWEA shall ensure that the
services delivered conform to the specifications of third-party contracts. This can
include everything from availability levels of the service to something more granular,
such as examining the security controls the service provider agreed to in the contract.
If there is a great level of dependency upon third-party service providers, checking into
service capabilities, plans for handling information security incidents or service
disruptions, and business continuity testing may be warranted. Systematic monitoring
and reviews of services and controls is also recommended, including scrutinizing
service reports provided by the third-party to ensure the information is sufficient and
relevant. As business or information technology requirements are modified, this may
also require a change in the provision of third-party services, and procedures shall be
in place to handle any new requirements. Additionally, modifications may also call for a
review of existing information security controls to ensure they are adequate.
4.12.5.5 Monitoring and Reviewing Supplier Services
4.12.5.5.1 Organizations shall regularly monitor, review and audit supplier service delivery.
Organizations can not overlook the need to manage the risk to their information assets
that are accessed, processed, communicated to, or managed by external parties
(partners, vendors, contractors, etc.). The service provider shall be continuously
monitored to assure that services provided are meeting the terms of the contract and
security is maintained. There shall be ongoing review of service reports, a process to
address concerns and issues and periodic audits. This section also encompasses
documentation and procedures for handling security incidents, including incident
reporting, mitigation and subsequent reviews. Finally, service capability levels must be
monitored to insure that the service provider continues to meet the contract terms and
needs of the business. In addition to regular review and monitoring of the services
provided, the contracting organization shall:
Conduct audits of suppliers in conjunction with outside assessments
Require the supplier to promptly notify regarding security incidents
Provide regular audit trails and records for security events
Have a conflict resolution process that can be invoked if requirements are not
met
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 69 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 70 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
o Service enhancements
o Bug fixes
o Use of new technology
o New development tools
o Enhanced security measures
o Change of subcontractor
o Change of physical sites
Where possible, supplier changes shall be integrated with the contracting organizations change
management processes.
As per the Roles and Responsibilities section mentioned at the end of the overall IS policy.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 71 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
To ensure that security requirements are established as an integral part of the entire lifecycle of an
information system.
To ensure that development lifecycle processes are established to maintain the security of information
systems as the systems are designed, developed, tested, and maintained.
To ensure the protection of data used for testing.
This policy covers all ADWEAs Information resources and supporting systems, whether managed or hosted
internally or externally.
4.13.3 Background
Security risks and events occur throughout a systems lifetime. This is true whether the system is developed
internally or purchased for on premise hosting or cloud implementation. Security shall be embedded
throughout all phases of the system development life cycle, assessed during system acquisition processes,
and monitored during system maintenance, including disposal.
To be most effective, information security must be integrated into the system lifecycle from system inception
through system disposal. Regardless of the formal or informal lifecycle methodology employed, security can
be incorporated into information systems acquisition, development and maintenance by implementing
effective security practices in the following areas.
Security requirements for information systems
Security in development and support processes
Test data
4.13.5.1 Security requirements of information systems : The objective of this category is to ensure that
security is an integral part of the organization's information systems, and of the business
processes associated with those systems.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 72 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.13.5.2 Correct processing in applications: This category aims to prevent errors, loss, unauthorized
modification or misuse of information in applications.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 73 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.13.5.3 Cryptographic controls: This category aims to protect the confidentiality, integrity and authenticity
of information by cryptographic means.
4.13.5.4 Security of system files :This category aims to ensure the security of critical system files.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 74 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
o appropriate change management and configuration control processes for all stages of
updating;
o appropriate documentation of the nature of the change and the processes used to
implement it;
o a rollback strategy in place, including retention of prior versions as a contingency
measure; and
o appropriate audit logs maintained to track changes.
4.13.5.5 Security in development and support processes: This category aims to maintain the security of
application system software and information.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 75 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.13.5.6 Technical vulnerability management : This category aims to reduce risks resulting from
exploitation of published technical vulnerabilities.
As per the Roles and Responsibilities section mentioned at the end of the overall IS policy.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 76 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 77 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
To ensure a consistent and effective approach to the management of information security incidents, including
communication on security events and weaknesses.
Ensure personnel are trained and equipped to detect, report, and respond to adverse events, providing the
foundation for effective Information Security Incident Management.
Build an effective, timely, repeatable methodology for managing information security incidents that meets
legal requirements and is continually improved.
To ensure that the Information security incident response is integrated with the overall risk management
process to provide the capability to update the risk management portfolio.
This policy covers ADWEAs Information security related incident management and supporting systems and
processes whether managed or hosted internally or externally.
4.14.3 Background
No matter the extent of our defenses, it inevitable that Information Security Incidents will occur. For this
reason, establishing, periodically assessing, and continually improving incident management processes and
capabilities is very important.
These are some of the fundamental elements of any Incident management program which can act as our
guidelines for developing an appropriate IS incident management policy and process. They are listed below.
Define what constitutes an information security incident and review how varied incidents can be
classified.
Consider what constitutes an information security incident that requires special handling (vs.
common security events). Review incident classification schemes that allow for aligning
handling procedures to potential impacts and risks.
Identify and establish essential roles and procedures needed for effective incident management.
Evaluate the technical and operational capabilities of your organization to detect and respond to
security incidents. Consider how senior management support can be gained to formalize effective
incident management processes. Formulate procedures and workflow for effectively addressing
incidents throughout their lifecycle.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 78 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
Create effective communication, coordination, and reporting plans for broad spectrum of
incidents including data breach events.
Identify key partners and stakeholders and levels of communication and engagement. Review the
legal and contractual communication requirements associated with data types that may be
involved in Information Security Incidents.
Adapt and learn from security incidents and strive for continual improvement by identifying
and planning for training needs and enhancement of response capabilities.
4.14.5.1 Reporting information security events and weaknesses : This category aims to ensure
information security events and weaknesses associated with the organization's information and
information system assets are communicated in a manner to allow appropriate corrective actions
to be taken.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 79 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.14.5.2 Management of information security incidents and improvements :This category aims to ensure a
consistent and effective approach is applied to the management of information security events
and incidents.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 80 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
As per the Roles and Responsibilities section mentioned at the end of the overall IS policy.
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 81 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
Information system continuity planning provides a managed, organized method for the deployment of
resources and procedures to assure the continuity of critical IS dependent business operations under
extraordinary circumstances, including the maintenance of measures to assure the privacy and security of its
information resources. The key objective/ goal is to ensure timely resumption from, and if possible
prevention of, interruptions to business activities and processes caused by failures of information systems.
The IS continuity policy covers all of ADWEAs Information resources and supporting people, processes
and systems , whether managed or hosted internally or externally.
4.15.3 Background
Organizations are vulnerable to a variety of natural and man-made emergencies, disasters, and hazards.
Recognizing that not all events can be prevented and some risks may be deemed acceptable, proper planning
is essential to maintain or restore services when an unexpected or unavoidable event disrupts normal
operations.
These are some of the fundamental elements of any Critical functions continuity program which can act as
our guidelines for developing an appropriate Information Systems Continuity related policy and process.
They are listed below.
Obtain commitment and authority from organizational Leadership. High level support is essential
for building the cross functional teams that are needed to prepare and deploy the plan.
Establish a planning team for each business unit.
Perform a risk assessment in each unit.
Identify critical resources:
o People Identify all support staff, and establish a chain of succession for key personnel.
o Places Identify key buildings, and plan alternate locations for workers and equipment.
o Systems Perform a business impact analysis to prioritize systems in terms of criticality.
o Other Identify other critical assets required for normal business operations.
Determine continuity and recovery strategies within each unit.
Train students, faculty, and staff on what to do in case of a disaster.
Test, test, test! Test system recovery procedures. Generate scenarios and simulate them with table
top exercises.
Create a communication plan.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 82 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
4.15.5.1 Information security aspects of business continuity management : This category's objective is to
ensure timely resumption from, and if possible prevention of, interruptions to business activities
and processes caused by failures of information systems.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 83 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
As per the Roles and Responsibilities section mentioned at the end of the overall IS policy.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 84 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 85 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
Role Description
CISO (Chief The CISO has the overall responsibility of the enterprise
Information Security information security program.
Officer) Depending on a variety factors within the enterprise, the
CISO may report to the CEO, COO, CIO, CRO or other
senior executive management.
The CISO is the liaison between executive management and
the information security program. The CISO shall also
communicate and co-ordinate closely with key business
stakeholders to address information protection needs.
The CISO must:
Have an accurate understanding of the business strategic
vision
Be an effective communicator
Be adept at building effective relationships with business
leaders
Be able to translate business objectives into information
security requirements
The CISO is responsible for:
Establishing and maintaining an information security
management system (ISMS)
Defining and managing an information security risk
treatment plan
Monitoring and reviewing the ISMS
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 86 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 87 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 88 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 89 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
Policy Owner The Policy Owner is responsible for providing support and
advice about this policy.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 90 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
6.1 All the defined security policies are applicable for the new IT systems with no
exception. However, where the above security measures cannot be implemented in
existing Control systems due to older technology or system limitations, the policy
recommends to enforce the measures to an extent of acceptable limit without
affecting the performance, integrity & availability of the IT systems.
6.2 Temporary override of security controls such as Application Whitelisting, DLP, HIPS,
etc. may be allowed for legitimate job requirements by authorized personnel with
approval.
6.3 Security updates / solutions including new Virus definitions, Operating system patch
etc. shall be qualified / approved by the respective IT system Vendors. The IT system
Vendor is accountable for any performance / availability issues arising on IT systems
from the Security solutions provided or approved by the Vendor.
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 91 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
7 REFERENCES
Item Description
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 92 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
8 APPENDICES
8.1 Definitions
Acronym
Glossary Definition
(if any)
Process Owner Person or role who has ultimate responsibility for the performance
of a process
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
Effective Date: Xst of Xxx 20XX
Volume Chapter Version
IT GOVERNANCE X X X
Page 93 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
Acronym
Glossary Definition
(if any)
Risk management set of components that provide the foundations and organizational
framework arrangements for designing, implementing, monitoring,
reviewing and continually improving risk management
throughout the organization
Risk management policy statement of the overall intentions and direction of an organization
related to risk management
Risk owner person or entity with the accountability and authority to manage a
risk
Risk evaluation process of comparing the results of risk analysis with risk criteria
to determine whether the risk and/or its magnitude is
acceptable or tolerable
Risk evaluation: process of comparing the results of risk analysis with risk criteria to
determine whether the risk and/or its magnitude is
acceptable or tolerable
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.