Adwea Ims It MGMT PLC v1.0

Effective Date: Xst of Xxx 20XX
Volume Chapter Version

IT GOVERNANCE X X X
Page 1 of 93
Approval Stamp.
Chairman:
CYBER SECURITY POLICY
This document is the property of ADWEA and cannot be used nor provided to outside party without prior authorization.
IT GOVERNANCE X X X
Page 2 of 93
Approval Stamp.
Chairman:
DESCRIPTION TITLE SIGNATURE
Prepared By Job Title/or Section/or Department
Reviewed By IMS Representative
Reviewed By Technology Advisor
Planning & Development

Endorsed By Director/or a
Committee
Endorsed By Director General
Approved By Chairman
IT GOVERNANCE X X X
Page 3 of 93
Approval Stamp.
Chairman:
CHANGES HISTORY SHEET
DOC. PAGE NEW ISSUE DOC. CHANGE

CHANGE SUMMARY OF CHANGE
NO. DATED REQUEST NO.
NO.
IT GOVERNANCE X X X
Page 4 of 93
Approval Stamp.
Chairman:
1 Table of Contents
2 EXECUTIVE SUMMARY ................................................................................................................................................ 9
3 GENERAL APPLICABILITY ............................................................................................................................................. 9
4 IT POLICY ELEMENTS ................................................................................................................................................. 10

4.1 [ITD-PL-001] INFORMATION SECURITY POLICY ............................................................................................................10
4.1.1 Policy summary / Goals 10
4.1.2 Applicability / Scope 10
4.1.3 Background 10
4.1.4 Guiding principle 10
4.1.5 Detailed policy requirements 11
4.1.6 Responsibilities and accountabilities 13
4.1.7 Any References 14

4.2 [ITD-PL-002] INFORMATION SECURITY RISK MANAGEMENT POLICY ..........................................................................15
4.2.3 Background 15

4.3 [ITD-PL-003] AWARENESS AND TRAINING POLICY ........................................................................................................20
4.3.1 Policy summary 20
4.3.2 Applicability 20
4.3.3 Background 20

4.4 [ITD-PL-004] HUMAN RESOURCES SECURITY POLICY ..................................................................................................23
IT GOVERNANCE X X X
Page 5 of 93
Approval Stamp.
Chairman:
4.4.3 Background 23

4.5 [ITD-PL-005] COMPLIANCE POLICY...............................................................................................................................26
4.5.3 Background 26

4.6 [ITD-PL-006] PERFORMANCE EVALUATION POLICY .....................................................................................................29
4.6.3 Background 29

4.7 [ITD-PL-007] ASSET MANAGEMENT POLICY..................................................................................................................31
4.7.3 Background 31

4.8 [ITD-PL-008] PHYSICAL AND ENVIRONMENTAL POLICY ...............................................................................................36
IT GOVERNANCE X X X
Page 6 of 93
Approval Stamp.
Chairman:
4.8.3 Background 36

4.9 [ITD-PL-009] OPERATIONS SECURITY POLICY ..............................................................................................................42
4.9.3 Background 42

4.10 [ITD-PL-010] COMMUNICATIONS POLICY ......................................................................................................................49
4.10.3 Background 49

4.11 [ITD-PL-011] ACCESS CONTROL POLICY .......................................................................................................................54
IT GOVERNANCE X X X
Page 7 of 93
Approval Stamp.
Chairman:
4.12 [ITD-PL-012] THIRD-PARTY SECURITY POLICY ............................................................................................................65

4.13 [ITD-PL-013] INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE POLICY ............................71

4.14 [ITD-PL-014] INFORMATION SECURITY INCIDENT MANAGEMENT POLICY ...................................................................77

4.15 [ITD-PL-015] INFORMATION SYSTEMS CONTINUITY PLANNING POLICY ......................................................................81
IT GOVERNANCE X X X
Page 8 of 93
Approval Stamp.
Chairman:
5 ROLES AND RESPONSIBILITIES ................................................................................................................................... 85
6 EXCEPTIONS AND CONDITIONS ................................................................................................................................. 90
7 REFERENCES .............................................................................................................................................................. 91
8 APPENDICES .............................................................................................................................................................. 92
8.1 DEFINITIONS .....................................................................................................................................................................92
IT GOVERNANCE X X X
Page 9 of 93
Approval Stamp.
Chairman:
2 EXECUTIVE SUMMARY
As cyber threats, such as hacktivism and cybercrime evolve, so must our efforts to defend
against them in a coordinated and systematic manner. To align and direct national
cybersecurity efforts, the UAE Government created the National Electronic Security
Authority (NESA) which developed the UAE Information Assurance (IA) Standards to
improve our national cybersecurity, and protect our national information and
communications infrastructure.
The adoption of these Standards by important UAE government entities like ADWEA
shall help in developing a trusted digital environment for businesses and individuals
across the nation.
To this effect the ADWEA Information Security Policies have been established to clearly
articulate what business policies shall be followed to improve our information security
posture as it relates to the protection of its people and information.
It is important to note that the ADWEA Security Policies are based upon IAS standards
set by NESA which is a recognized and respected IS security standard developed for
protection of critical infrastructures across UAE.
3 GENERAL APPLICABILITY
This policy is applicable to all ADWEA information assets, including (but not limited to)
all services, processes, and systems managed by Information Technology and Operation
Technology Departments, unless specific overriding scopes are identified under specific
policy elements / sub elements.
IT GOVERNANCE X X X
Page 10 of 93
Approval Stamp.
Chairman:
4 IT POLICY ELEMENTS
4.1 [ITD-PL-001] Information Security Policy
4.1.1 Policy summary / Goals
This policy protects the information used to conduct ADWEAs business and the systems
that support this information. The high-level objectives of this information policy are:
Maintaining the confidentially of sensitive information
Successful management of the information security risks within the entity
Efficient management of information security process
Compliance with sector or national requirements
4.1.2 Applicability / Scope
This policy is applicable to all ADWEA information, including (but not limited to) all
services, processes, and systems managed by Information Technology and Operation
Technology Departments.
4.1.3 Background
We believe that Information Security is critical for establishing trust between our
customers, business partners, and employees. It is one of the fundamental requirements
to ensure integrity and timely availability of information for serving our customers
efficiently and effectively, ensure legal compliance and to prevent unauthorized access to
our business systems and data.
These polices provide information that communicates the direction to be followed in
securing the organization.
4.1.4 Guiding principle
IT GOVERNANCE X X X
Page 11 of 93
Approval Stamp.
Chairman:
Information, software, infrastructure, people, locations, property, reputation, and

intangible services are critical business assets; security ensures confidentiality,
integrity, availability, reliability, and safety of these assets.
Security is provided in a manner that fully serves the business interest. The
application of security requirements is consistent with business requirements and
adheres to industry best practices, applicable laws and regulations.
Business assets are used only for authorized purposes.
ADWEAs management, its employees across its group of companies and information
technology service contractor are accountable for the protection of business assets
received, created, or held by, or on behalf of, ADWEA and its clients.
4.1.5 Detailed policy requirements
IT GOVERNANCE X X X
Page 12 of 93
Approval Stamp.
Chairman:
4.1.5.1 The CEO shall ensure that the information security policy, as well as guidelines and standards,
are utilized and acted upon by delegating the responsibility appropriately down the line while
remaining accountable.
4.1.5.2 The CEO/VP-IT must ensure the availability of sufficient training and information material for all
users, to enable the users to protect ADWEA's data and information systems.
4.1.5.3 The security policy shall be reviewed and updated annually or when necessary, in accordance
with principles described in NESA UAE Information Assurance Standards.
4.1.5.4 All important changes to ADWEA's activities, and other external changes related to the threat
level, shall result in a revision of the policy and the guidelines relevant to the information security.
4.1.5.5 It is the organizations policy that the information it manages shall be appropriately secured to
protect against the consequences of breaches of confidentiality, failures of integrity or
interruptions to the availability of that information.
4.1.5.6 This information security policy provides management direction and support for information
security across the organization. Specific, subsidiary information security policies shall be
considered part of this information security policy and shall have equal standing.
4.1.5.7 This policy has been ratified by the organization and forms part of its policies and procedures,
including its Regulations for Conduct. It is applicable to and will be communicated to staff and
other relevant parties.
4.1.5.8 This policy shall be reviewed and updated regularly to ensure that it remains appropriate in the
light of any relevant changes to the law, organizational policies or contractual obligations.
4.1.5.9 To determine the appropriate levels of security measures applied to information systems, a
process of risk assessment shall be carried out for each system to identify the probability and
impact of security failures.
4.1.5.10 To manage information security within the organization an information security oversight
committee shall be established, chaired by a senior officer and comprising appropriate senior
organizational managers. The objective of this group shall be to ensure that there is clear
direction and visible management support for security initiatives.
4.1.5.11 This oversight group shall promote security through appropriate commitment and adequate
resourcing.
4.1.5.12 An information security working party, comprising management representatives from all relevant
parts of the organization, shall devise and coordinate the implementation of information security
controls.
4.1.5.13 The responsibility for ensuring the protection of information systems and ensuring that specific
security processes are carried out shall lie with the head of the department managing that
information system.
4.1.5.14 Specialist advice on information security shall be made available throughout the organization.
IT GOVERNANCE X X X
Page 13 of 93
Approval Stamp.
Chairman:
4.1.5.15 The organization will establish and maintain appropriate contacts with other organizations, law
enforcement authorities, regulatory bodies, and network and telecommunications operators in
respect of its information security policy.
4.1.5.16 The implementation of the information security policy shall be reviewed independently of those
charged with its implementation.
4.1.5.17 Violations of this policy, including failure to report non-compliance, can result in disciplinary
action as described in the exceptions process.
4.1.6 Responsibilities and accountabilities
Typically, the senior most management has the overall responsibility for managing
values in any organization in an effective and satisfactory manner as per current laws,
regulations or contracts.
In the context of information security within ADWEA , the CEO has the overall
responsibility for information security at ADWEA.
IT GOVERNANCE X X X
Page 14 of 93
Approval Stamp.
Chairman:
4.1.6.1 Owner of the security policy - The CEO is the owner of the security policy (this document). The
CEO delegates the responsibility for security-related documentation to the CISO (Chief
Information Security Officer). All policy changes must be approved and signed by the CISO.
4.1.6.2 CISO (Chief Information Security Officer) - The CISO holds the primary responsibility for
ensuring the information security at ADWEA.
4.1.6.3 System/Process owner- The system/process owner, (typically department or function heads) in
consultation with the IT department, is responsible for the purchasing requirements, development
and maintenance of information and related information systems. All systems and all types of
information must have a defined owner. The system owner must define which users or user
groups are allowed access to the information and what authorized use of this information
consists of. The system ownership shall be described / identified in a separate document.
4.1.6.4 System administrator- System administrators are persons administrating ADWEAs information
systems and the information entrusted to the entity by other parties. Each type of information and
system may have one or more dedicated system administrators. These are responsible for
protecting the information, including implementing systems for access control to safeguard
confidentiality, and carry out backup procedures to ensure that critical information is not lost.
They will further implement, run and maintain the security systems in accordance with the
security policy. Each system must have one or more system administrators. This shall be
documented.
4.1.6.5 Users -Employees are responsible for getting acquainted and complying with ADWEAs IT
regulations and policies. Questions regarding the administration of various types of information
shall be posed to the system owner of the relevant information, or to the system administrator.
4.1.6.6 Consultants and contractual partners- Contractual partners and contracted consultants must
sign a confidentiality agreement prior to accessing sensitive information. The System owner is
responsible for ensuring that this is implemented.
4.1.7 Any References
Item Description
IT GOVERNANCE X X X
Page 15 of 93
Approval Stamp.
Chairman:
4.2 [ITD-PL-002] Information Security Risk Management Policy
To ensure that a current and complete information risk profile exists for
technology, applications and infrastructure within the enterprise.
Ensure that the entitys risk appetite and tolerance are understood,
articulated and communicated internally.
To ensure that these risks are treated in accordance with the information
security requirements and objectives of the entity which are aligned with the
NESA requirements.
Information Security Risk Management covers all of ADWEAs Information resources

and supporting systems, whether managed or hosted internally or externally.
4.2.3 Background
Entities owning, operating, and or maintaining Critical Information Infrastructure in

UAE must consider all relevant NESAs issuances and guidance about risk management
when performing risk assessment.
These entities are charged with protecting the confidentiality, integrity and availability
of its Information Resources as per NESA mandates. To accomplish this task, a formal
Information Security Risk Management Program has been established as a component of
the ADWEAs Information Security Program to ensure that ADWEA is operating with an
acceptable level of risk. The Information Security Risk Management Program is
described in this Policy.
Effective enterprise governance and management of IT risk:

Always connects to business objectives
Aligns the management of IT-related business risk with overall enterprise risk
management (ERM) if applicable, i.e., if ERM is implemented in the enterprise
Balances the costs and benefits of managing IT risk
IT GOVERNANCE X X X
Page 16 of 93
Approval Stamp.
Chairman:
Promotes fair and open communication of IT risk

Establishes the right tone from the top while defining and enforcing personal
accountability for operating within acceptable and well-defined tolerance levels
Is a continuous process and part of daily activities.
4.2.5.1 ADWEA will use the NESA IAS as its framework for managing its IT information security risks by
establishing the context, performing IT risk assessments, implementing risk treatments and
monitoring their implementation.
4.2.5.2 There will be a formal documented and approved process and procedure associated with the IS
risk assessment, treatment and monitoring for ADWEA.
4.2.5.3 The scope of the risk assessment, treatment and monitoring shall cover all the critical services
and their supporting functions based on the information asset classification (refer to asset
management policy).
4.2.5.4 Roles and responsibilities related to the overall IS risk management for ADWEA shall be clearly
defined and communicated.
4.2.5.5 Risk impact criteria, acceptance criteria and risk evaluation criteria shall be clearly defined under
risk management standards.
4.2.5.6 The IS risk management shall be integrated with the enterprise risk management.
4.2.5.7 The IS risk management plan shall cover all the main elements as outlined below.
4.2.5.7.1 Information Risk Identification- ADWEA shall apply the information security risk
assessment process to identify risks associated with the loss of confidentiality, integrity
and availability for its critical information assets by:
a) Defining clearly the scope of the risk assessment exercise.
b) Identifying critical business functions.
c) Identifying critical information systems supporting business critical functions within the
scope and boundary of the risk assessment.
d) Identifying vulnerabilities related to the information and information systems.
e) Identify existing information security controls
f) Identifying threats and threat sources
g) Identifying the risk owners
h) And finally documenting the results of the risk identification.
IT GOVERNANCE X X X
Page 17 of 93
Approval Stamp.
Chairman:
4.2.5.7.2 Information Risk Analysis and Evaluation- Based on the risk identified ADWEA shall
do a proper risk analysis and evaluation to identify and document the business impact
of the risk exposure. The following essentials need to be considered.
i) Assess the potential consequences that would result if the identified risks were to
materialize by assessing the consequences of losses of confidentiality, integrity or
availability
j) Assess the realistic likelihood of the occurrence of the identified risks based on the existing
controls, identified vulnerabilities and threats.
k) Determine the overall levels of risk.
l) Document the results of the risk analysis
m) Establish priorities for treatment of the identified risks.
n) Share with national and sector authorities the results where applicable.
4.2.5.7.3 Information Risk Treatment ADWEA shall identify and plan appropriate risk
treatment for IT risks that have been assessed based on the following guidelines.
o) It shall consider the following risk treatment options and select one or more of them for
each of the risks that have been assessed during the Risk Assessment.
o Risk Reduction Reducing the risk by applying security controls
o Risk Retention Accepting the risk based on the entitys risk accepting criteria
established as per this policy.
o Risk Avoidance Avoiding the activity or condition causing the risk.
o Risk Transfer Transferring the risk to another party.
p) It shall identify all controls that are necessary to implement the information security risk
treatment option(s) chosen.
o It will utilize the controls mentioned under the NESA IAS as a starting point for
control identifications and may expand on it.
o It will ensure that no controls are overlooked by producing the Statement of
Applicability for the risk treatment.
o It will identify controls in addition to the controls suggested by NESA that may be
specific to the entity or the sector.
q) ADWEA shall then formulate a risk treatment plan which will clearly identify the
following.
o Appropriate management actions
o Resources required
o Responsibilities and priorities for managing information security risks.
o Target dates for implementation of the identified controls.
o The document for the risk treatment plan.
IT GOVERNANCE X X X
Page 18 of 93
Approval Stamp.
Chairman:
4.2.5.7.4 Monitoring of Information security risk management ADWEA shall plan and
document the process for the review and update of the risk assessment and treatment;
this shall include planned reviews and updates as well as ad hoc updates if significant
changes occur.
r) ADWEAs monitoring and review processes shall encompass all aspects of the risk
management process and shall take account of changes in:
o A. The entity itself
o B. Technology used
o C. Business objectives and processes
o D. Risk criteria and the risk assessment process
o E. Assets and consequences of losses of confidentiality, integrity
o or availability
o F. Identified threats;
o G. Identified vulnerabilities
o H. Effectiveness of the implemented controls
o I. External events, such as changes to the legal or regulatory environment, changed
contractual obligations, and changes in social climate.
s) ADWEA shall monitor security incidents that might trigger the risk assessment process.
t) Responsibilities for monitoring and review shall be clearly defined and documented.
4.2.5.7.5 Communication of Information security risks- ADWEA shall communicate and
consult risk information obtained during and after risk management activities with all
stakeholders involved.
u) It will establish and use a formal risk communication plan for communicating risk
information with key stakeholders including decision-makers within the entity during all
stages of the risk management process.
Typically, the senior most management has the overall responsibility for managing
risks in any organization as per current laws, regulations or contracts.
In the context of risks associated with IT within ADWEA , the CEO has the overall
responsibility for managing the information based risk exposure of ADWEA.
IT GOVERNANCE X X X
Page 19 of 93
Approval Stamp.
Chairman:
4.2.6.1 Owner of the security policy - The CEO is the owner of the IS risk management policy. The CEO
can delegate the responsibility for managing IT related risks to the CISO (Chief Information
Security Officer). In that case all policy changes related to IT Risk must be approved and signed
by the CISO.
4.2.6.2 CISO (Chief Information Security Officer)- The CISO holds the primary responsibility for ensuring
that the Information security risk management policy is implemented and enforced at ADWEA,
based on a delegated authority by the CEO.
4.2.6.3 System administrator- System administrators are persons administrating ADWEAs information
systems and the information entrusted to the entity by other parties. Each type of information and
system may have one or more dedicated system administrators. These are responsible for
protecting the information, including implementing systems for access control to safeguard
confidentiality, and carry out backup procedures to ensure that critical information is not lost.
They will further implement, run and maintain the security systems in accordance with this policy.
4.2.6.4 Users -Employees are responsible for getting acquainted and complying with ADWEAs IT
regulations and policies. Questions regarding the administration of various types of information
shall be posed to the system owner of the relevant information, or to the system administrator.
4.2.6.5 Consultants and contractual partners- Contractual partners and contracted consultants must sign
a confidentiality agreement prior to accessing sensitive information. The System owner is
responsible for ensuring that this is implemented.
Item Description
IT GOVERNANCE X X X
Page 20 of 93
Approval Stamp.
Chairman:
4.3 [ITD-PL-003] Awareness and Training Policy
4.3.1 Policy summary
This policy specifies an information security awareness and training program to inform and motivate all
workers regarding their information security obligations.
4.3.2 Applicability
This policy applies throughout the organization as part of the corporate governance framework. It applies
regardless of whether or not workers use the computer systems and networks, since workers are expected to
protect all forms of information asset including computer data, written materials/paperwork and intangible
forms of knowledge and experience. This policy also applies to third party employees working for the
organization whether they are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound
(e.g. by generally held standards of ethics and acceptable behavior) to comply with our information security
policies.
4.3.3 Background
Technical IT security controls are a vital part of our information security framework but are not in
themselves sufficient to secure all our information assets. Effective information security also requires the
awareness and proactive support of all workers, supplementing and making full use of the technical security
controls. This is obvious in the case of social engineering attacks and frauds, for example, which specifically
target vulnerable humans rather than IT and network systems. Lacking adequate information security
awareness, workers are less likely to recognize or react appropriately to information security threats and
incidents, and are more likely to place information assets in danger through ignorance and carelessness.
Whereas awareness implies a basic level of understanding about a broad range of information security
matters, training implies more narrowly-focused and detailed attention to one or more specific topics.
Training tends to be delivered through classroom or online courses, while awareness tends to be delivered by
multiple communications methods such as seminars, case studies, written briefing and reference materials
(for self-motivated study), posters and conversations. Awareness provides the foundation level of knowledge
and understanding for training to build upon. In other words, security awareness and training are
complementary approaches.
In order to protect information assets, all workers must be informed about relevant, current information
security matters, and motivated to fulfill their information security obligations.
IT GOVERNANCE X X X
Page 21 of 93
Approval Stamp.
Chairman:
4.3.5.1 An information security awareness program shall ensure that all workers achieve and maintain at
least a basic level of understanding of information security matters, such as general obligations
under various information security policies, standards, procedures, guidelines, laws, regulations,
contractual terms and plus generally held standards of ethics and acceptable behavior.
4.3.5.2 Additional training is mandated for workers with specific obligations towards information security
that are not satisfied by basic security awareness, for example Information Risk and Security
Management, Security Administration, Site Security and IT/Network Operations personnel. Such
training requirements must be identified in workers personal training plans and funded
accordingly. The training requirements will reflect workers relevant prior experience, training
and/or professional qualifications, as well as anticipated job needs.
4.3.5.3 Security awareness and training activities shall commence as soon as practicable after workers
join the organization, for instance through attending information security induction/orientation
classes. The awareness activities shall continue on a continuous/rolling basis thereafter in order
to maintain a reasonably consistent level of awareness.
4.3.5.4 Where necessary and practicable, security awareness and training materials shall suit their
intended audiences in terms of their styles, formats, complexity, technical content etc. For
example, some people prefer to read written descriptions and instructions while others prefer to
be shown things or have them demonstrated. Some like to read words, others prefer diagrams
and pictures. Non-technical workers are unlikely to understand or appreciate highly technical
awareness content, while their technical colleagues may well need the full details in order to
understand exactly what they are being asked to do. Everyone needs to know why information
security is so important, but the motivators may be different for workers concerned only about
their own personal situations or managers with broader responsibilities to the organization and
their staff.
4.3.5.5 Information Securitys intranet site shall be the focal point for security awareness, providing
information and guidance on a wide variety of information security matters. It is the definitive
source of current information security policies, standards, procedures and guidelines. However,
workers with limited intranet access must also be kept suitable informed by other means such as
seminars, briefings and courses.
4.3.5.6 A range of compliance measures must be undertaken to achieve widespread compliance with
various information security obligations. While the details vary according to the specific nature of
those obligations including the risks associated with non-compliance, management anticipates a
mixture of routine, periodic and ad hoc compliance activities such as management oversight,
reviews and audits, which may include checking workers uptake of security awareness and
training opportunities, awareness test results and other metrics.
IT GOVERNANCE X X X
Page 22 of 93
Approval Stamp.
Chairman:
4.3.6.1 The Chief Information Security Officer/Information Security Manager is accountable for running
an effective information security awareness and training program that informs and motivates
workers to help protect the organizations information assets.
4.3.6.2 Information Security Management is responsible for developing and maintaining a
comprehensive suite of information security policies (including this one), standards, procedures
and guidelines that are to be mandated and/or endorsed by management where applicable.
Working in conjunction with other corporate functions, it is also responsible for running suitable
awareness, training and educational activities to raise awareness and aide understanding of
workers responsibilities identified in applicable policies, laws, regulations, contracts etc.
4.3.6.3 IT Help/Service Desk is responsible for helping workers on basic information security matters,
liaising with experts from functions such as Information Security Management, Site Security,
Human Resources, Risk Management, Legal and Compliance where necessary.
4.3.6.4 Managers are responsible for ensuring that their staff and other workers within their remit
participate in the information security awareness, training and educational activities where
appropriate.
4.3.6.5 Workers are personally accountable for complying with the information security related policies or
processes and any training and awareness programs conducted by ADWEA.
4.3.6.6 Internal Audit is authorized to assess compliance with this and other corporate policies at any
time.
Item Description
IT GOVERNANCE X X X
Page 23 of 93
Approval Stamp.
Chairman:
4.4 [ITD-PL-004] Human Resources Security Policy
To increase ADWEAs assurance that personnel will contribute positively to the IT cybersecurity of the
entity by understanding their responsibilities and ensuring they are suitable for their role.
To address security requirements for each phase of the employment, contract or agreement lifecycle,
supporting HR processes such as employment, change of employment or termination.
This policy applies throughout the organization as part of the corporate governance framework. It applies
regardless of whether workers use the computer systems and networks, since workers are expected to protect
all forms of information asset including computer data, written materials/paperwork and intangible forms of
knowledge and experience. This policy also applies to third party employees working for the organization
whether they are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound (e.g. by
generally held standards of ethics and acceptable behavior) to comply with our information security
policies.
4.4.3 Background
As cited in a variety of sources, people are often described as the weakest link in any security system. It is
important to build security into the entire Human Resource (HR) process, from pre-employment, during
employment, and through termination, to ensure that policies and procedures are in place to address security
issues. Consistent training throughout the entire process ensures that employees and contractors are fully
aware of their roles and responsibilities and understand the criticality of their actions in protecting and
securing both information and facilities.
The organization's data must be protected from unauthorized access, disclosure, modification, destruction
or interference. For this to happen, the management of human resources related security and privacy risks
needs to be addressed through an appropriate security policy which ensures adherence to secure best
practices for the complete employment lifecycle within the organization.
IT GOVERNANCE X X X
Page 24 of 93
Approval Stamp.
Chairman:
4.4.5.1 PRIOR TO EMPLOYMENT

4.4.5.1.1 Pre-hire screening shall be performed for all ADWEA group employees, contractors,
and third party users prior to hiring based on a defined background verification check
process in accordance with relevant laws and regulations.
4.4.5.1.2 Additional screening shall be performed for personnel accessing sensitive information
or critical facilities, or whatever deems necessary by the HR department and/or hiring
management.
4.4.5.1.3 The screening process shall be repeated periodically for personnel holding positions
with considerable authority.
4.4.5.1.4 All personnel shall sign a confidentiality and/or a Non-Disclosure Agreement prior to
being granted access to information systems or assets
4.4.5.1.5 Standard information security terms and conditions shall be defined and reviewed
periodically for all ADWEA group personnel, stating:
4.4.5.1.6 Personnel legal responsibilities and rights
4.4.5.1.7 Responsibilities for the classification of information and management of ADWEA group
information systems and services handled by the employee
4.4.5.1.8 Responsibilities of personnel for handling information received from other companies
or external entities
4.4.5.1.9 Responsibilities of the ADWEA group for handling of personal information
4.4.5.1.10 Responsibilities that are extended outside ADWEA groups premises and outside
regular working hours
4.4.5.1.11 The standard information security terms and conditions shall be included in any
contract
4.4.5.1.12 ADWEA group management shall ensure all personnel fully understand their relevant
information security terms and conditions
4.4.5.2 DURING EMPLOYMENT
4.4.5.2.1 ADWEA group management responsibilities shall include ensuring that:
4.4.5.2.2 All personnel are presented, on first access or during personnel orientation, relevant
information security policies and guidelines so as to be read and accepted.
4.4.5.2.3 All personnel are properly briefed on their information security roles and responsibilities
prior to being granted access to ADWEA group information or information system
4.4.5.2.4 All personnel comply with ADWEA groups information security policies and procedures
4.4.5.2.5 All personnel skills and qualifications are continuously being evaluated and improved in
accordance with a set appropriate criteria
4.4.5.2.6 A disciplinary process shall be defined, communicated to all personnel and enforced
IT GOVERNANCE X X X
Page 25 of 93
Approval Stamp.
Chairman:
4.4.5.2.7 The disciplinary process shall be commenced only after verification that a security
breach has occurred
4.4.5.3 TERMINATION / CHANGE OF EMPLOYMENT
4.4.5.3.1 Employment termination or change of employment responsibilities shall be defined and
assigned emphasizing the communication in relation to ADWEA group information
security (including confidentiality and property rights)
4.4.5.3.2 All ADWEA group personnel shall return all of the organizations assets in their
possession upon termination of employment, contract or agreement
4.4.5.3.3 All personnel access to information and information systems shall be revoked upon
termination of their employment, contract or agreement, or adjusted upon change.
4.4.6.1 The Chief Information Security Officer/Information Security Manager is accountable for enforcing
an effective HR security policy across the organization.
4.4.6.2 Information Security Management is responsible for developing and maintaining a the HR
security policies (including this one), working in conjunction with the HR process owners.
4.4.6.3 HR Process Owners are responsible for ensuring that ADWEAs HR process and polices fully
incorporate the HR security policy elements outlined under this policy.
4.4.6.4 Workers are personally accountable for complying with the HR security related policies or
processes.
4.4.6.5 Internal Audit is authorized to assess compliance with this and other corporate policies at any
time.
Item Description
IT GOVERNANCE X X X
Page 26 of 93
Approval Stamp.
Chairman:
4.5 [ITD-PL-005] Compliance Policy
To define compliance from the perspective of ADWEAs IT policy and UAE IA standards
To increase ADWEAs assurance that all ADWEAs IT security requirements and
externally mandated requirements have been implemented and maintained where
applicable throughout the lifecycle.
The Compliance policy covers all of ADWEAs Information resources and supporting
people, processes and systems , whether managed or hosted internally or externally.
4.5.3 Background
A compliance policy facilitates the implementation of the associated controls to ensure

the entity is compliant at the entity, sector, and national levels.
Important elements to consider when developing a compliance framework or policy

include the following (but not limited to it):
Awareness of relevant regulations/laws. (Do you know what you need to follow?)
Awareness of relevant policies. (Do you know what organizational policies apply to information
use?)
Awareness of relevant contractual agreements. (Do you know what agreements your organization
has made that impose conditions on the use of data?)
Awareness of relevant standards or best practices. (Do you know what standards or best practices
your organization chooses to follow with respect to information use?)
Management of organizational records. (Do you know what you need to keep and for how long?)
Awareness of how records are managed by your organization.
Approach to complying with each item. (Do you know what your organization is doing to follow
the law?)
IT GOVERNANCE X X X
Page 27 of 93
Approval Stamp.
Chairman:
4.5.5.1 All ADWEAs legal and contractual compliance requirements, including at sector and national
levels, shall be identified and documented, specifying the consequences of not meeting each
compliance requirement.
4.5.5.2 All employees shall comply with all national, sector and local laws and regulations for cyber
security
4.5.5.3 Execution of all IT security procedures and activities shall comply with IT security Policies and
Processes.
4.5.5.4 Any perceived violations shall be reported to the site-specific IT security focal point of and
appropriate actions shall be taken to mitigate the risks of non-compliance.
4.5.5.5 All deviations from IT policy at the site level shall be approved by site security focal point of
contact.
4.5.5.6 Compliance audits shall be conducted only by resources identified by the IT Steering Committee
on an annual basis, and shall be carefully planned and agreed upon when performed against
operational IT Systems and assets.
4.5.5.7 Information consisting of vulnerabilities and potential non-compliance shall be considered as
confidential information and shall be treated accordingly.
4.5.5.8 Information concerning such vulnerabilities and non-compliance shall be shared within ADWEA
only on a need to know basis.
4.5.5.9 IT Steering Committee shall be informed of all potential vulnerabilities and non-compliance
issues on a regular basis and shall be accountable for providing adequate resources to mitigate
these issues.
4.5.5.10 IT Site specific focal point of contact is responsible for coordinating with IT steering committee to
make decisions regarding external communications with customers or government entities.
4.5.5.11 Individual employees shall not share any potential vulnerabilities or non-compliance issues
externally (e.g.: to media, government or customers).
4.5.6.1 As per the Roles and Responsibilities section mentioned at the end of the overall IS policy.
4.5.6.2 IS/Internal Audit is authorized to assess compliance with this policy at any time. Typical
responsibilities include:
4.5.6.2.1 Define the audit criteria, scope and audit plan for each audit
4.5.6.2.2 Select auditors and conduct audits to ensure objectivity and the impartiality of the audit
process
IT GOVERNANCE X X X
Page 28 of 93
Approval Stamp.
Chairman:
4.5.6.2.3 Ensure that the results of the audits are reported to relevant management
4.5.6.2.4 Document the audit program and the audit results
4.5.6.2.5 Ensure that the internal audit is effectively implemented and maintained
Item Description
IT GOVERNANCE X X X
Page 29 of 93
Approval Stamp.
Chairman:
4.6 [ITD-PL-006] Performance Evaluation Policy
To ensure that IT security performance is measured, analyzed, evaluated and improved, where necessary to
meet changing risk factors and entity goals and objectives.
The Performance policy typically targets the information security domain within ADWEA, including all
the associated Information resources and supporting people, processes and systems.
4.6.3 Background
Ongoing performance monitoring and evaluation is one of the major contributors to

overall effective and success information security operation within any entity.
Therefore, the entity shall have an overall framework for its monitoring and
performance measurement activities.
For the measurement of information security performance and the effectiveness of the
information security management system. The organization needs to determine the
following:
what needs to be monitored and measured, including information security processes and controls.
the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid
results
when the monitoring and measuring is to be performed.
who would monitor and measure.
when are the results from monitoring and measurement analyzed and evaluated; and
who would analyze and evaluate these results
IT GOVERNANCE X X X
Page 30 of 93
Approval Stamp.
Chairman:
4.6.5.1 Key security performance indicators, to evaluate the performance of ADWEAs IT security
controls and the effectiveness of the IT security management program in achieving business
goals and objectives, shall be established by IT Security Program Manager and be reviewed and
approved by the IT steering committee.
4.6.5.2 Annual compliance and operational audits shall identify and evaluate adherence to security
KPIs.
4.6.5.3 When risk factor changes (i.e. threats and vulnerabilities landscape changes) compliance and
operational audits shall identify and evaluate adherence to security KPIs.
4.6.5.4 All cyber incidents shall be analyzed to determine ineffective security controls and appropriate
compensating controls shall be put in place.
4.6.5.5 IT steering committee shall outline performance improvement plans based on successive
progression of security controls maturity and in line with companys goals and objectives.
4.6.5.6 IT Steering committee shall monitor the implementation of performance improvement plan on a
regular basis.
4.6.6.1 As per the Roles and Responsibilities section mentioned at the end of the overall IS policy.
4.6.6.2 IS/Internal Audit is responsible for assessing the performance of the Information security
program based on the KPIs set by the IT security Manager and approved by the IT steering
committee. Typical responsibilities include during any audits:
4.6.6.2.1 Define the audit criteria (ie identified KPIs), scope and audit plan for each audit
4.6.6.2.2 Select IT auditors and conduct audits to ensure objectivity and the impartiality of the
audit process
4.6.6.2.3 Ensure that the results of the audits are reported to relevant management
4.6.6.2.4 Document the audit program and the audit results
4.6.6.2.5 Ensure that the internal audit is effectively implemented and maintained
Item Description
IT GOVERNANCE X X X
Page 31 of 93
Approval Stamp.
Chairman:
4.7 [ITD-PL-007] Asset Management Policy
To ensure that all IT assets are properly classified and that the assets are appropriately managed and
protected throughout its lifecycle, per their classification.
Asset Management Policy covers all of ADWEAs Information resources and supporting systems, whether
managed or hosted internally or externally.
4.7.3 Background
An asset is defined as "an item of value". Asset management is based on the idea that it is important to
identify, track, classify, and assign ownership for the most important assets in your organization to ensure
they are adequately protected. Tracking inventory of IT hardware is the simplest example of asset
management. Knowing what you have, where it lives, how important it is, and who's responsible for it are
all-important pieces of the puzzle.
Similarly, an Information Asset is an item of value containing information. The same concepts of general
asset management apply to the management of information assets. To be effective, an overall asset
management strategy shall include information assets, software assets, and information technology
equipment.
An organization shall be able to know what physical, environmental or information assets it holds, and can
manage and protect them appropriately. Important elements to consider when developing an asset
management policy are:
Inventory (do you know what assets you have & where they are?)
Responsibility/Ownership (do you know who is responsible for each asset?)
Importance (do you know how important each asset is in relation to other assets?)
Establish acceptable-use rules for information and assets.
Establish procedures for the labeling of physical and information assets.
Establish return of asset procedures (do you have an employee exit procedure?)
Protection (is each asset adequately protected according to how important it is?)
IT GOVERNANCE X X X
Page 32 of 93
Approval Stamp.
Chairman:
4.7.5.1 Ownership, Responsibility and Accountability of Assets

4.7.5.1.1 All stakeholders involved in the asset management lifecycle shall be made aware of,
and have access to, the IT asset management policy, processes and procedures in
place.
4.7.5.1.2 At each stage in the IT cyber assets management lifecycle (procurement through
disposal), security requirements and business relevance shall be considered.
4.7.5.1.3 IT Asset Owners/Systems Administrator of IT assets such as Hardware, Software, IT
Data Stores shall be identified and shall be accountable for the asset.
4.7.5.1.4 IT asset owner/Systems Administrator shall ensure all IT assets are properly
inventoried, classified, securely protected and reviewed.
4.7.5.1.5 IT asset owner/Systems Administrator shall also be responsible for:
a) Approving access to the IT asset.
b) Approving and reviewing security measures for IT assets.
c) Recommending additional controls or advising against controls in light of system criticality.
d) Ensuring all legal requirements related to the IT asset are met.
IT GOVERNANCE X X X
Page 33 of 93
Approval Stamp.
Chairman:
4.7.5.2 Asset Inventory Policies

4.7.5.2.1 Change management, risk management, resource management and business
continuity plans shall take into consideration assets criticality/business relevance.
4.7.5.2.2 Maintenance of the IT asset inventory shall be facilitated in accordance with the
change management and risk management processes, to address accurate updates of
the entitys IT asset inventory list.
4.7.5.2.3 Asset Attributes such asset owner, asset custodianship, asset name, asset tag, IP
address, mac address, serial number, hardware/firmware version, operating system
version and patches, installed application software version and patches, third-party
application software version and patches, assets security requirements, assets
business criticality, assets data classification and last review date shall be recorded.
4.7.5.2.4 Automated mechanisms to help maintain an up-to-date, complete and accurate asset
inventory shall be employed wherever technically feasible.
4.7.5.2.5 System architecture/interconnection diagrams showing data flows, and physical and
logical segmentation shall be reviewed and updated at-least quarterly or based on
major updates or changes to the asset configuration.
4.7.5.2.6 Asset inventory shall be reviewed and updated at-least quarterly or based on major
updates or changes to the asset configuration.
4.7.5.2.7 Assets access restrictions shall be employed to support the protection requirements
for assets commensurate with asset criticality, security requirements and level of risk to
the business.
4.7.5.2.8 To mitigate the risk of media content degradation, three redundant copies shall be
made, two local and one remote, to avoid risks of non-availability of critical data.
4.7.5.3 Disposal/Destruction of Asset
4.7.5.3.1 Procedures shall be in place to identify the assets to be collected (both paper and
digital) and disposed/destroyed of securely based on the criticality of information stored
on the asset.
4.7.5.3.2 IT asset owner shall ensure secure handling when the IT asset is decommissioned or
destroyed.
4.7.5.3.3 When no longer required, the contents of any storage media (e.g.: RAM memory, CD,
USB devices etc.) containing confidential information that are to be removed from
operations shall be made unrecoverable.
4.7.5.3.4 Whenever owned software copy is declared or deemed obsolete or non-usable or not
in line with the Company policy, such copies/media shall be disposed off in safe, non
re-usable manner.
4.7.5.3.5 All decommissioned assets shall be collected and disposed of securely, rather than
attempting to separate out the sensitive items.
4.7.5.3.6 Unused storage media, such as hard copy documentation shall be shredded.
4.7.5.3.7 Disposal of sensitive assets and media shall be logged in order to maintain an audit
trail.
IT GOVERNANCE X X X
Page 34 of 93
Approval Stamp.
Chairman:
4.7.5.3.8 Damaged industrial control devices containing sensitive data shall require a risk
assessment to determine whether items shall be physically destroyed rather than sent
for repair or discarded.
4.7.5.4 Asset Buy-back / Exchange option
4.7.5.4.1 If there is an option of buy back / exchange by the Vendor, the same can be practiced
after management approval. This must not compromise the sensitive data / information
of the organization.
4.7.6.1 CEO- The CEO shall have authority to represent the organization for the protection and security
of the information asset as ownership of Information assets is assigned to this organizational
role. CEO shall approve the Information Management / Security Policy.
The CEO may delegate full / partial ownership along with the defined responsibilities to any
officer / contractor / third party with operational rights and responsibility.
4.7.6.2 CIO (Chief Information Officer)- The CIO ensures that strategic planning processes are
undertaken so that information requirements and supporting systems and infrastructure are
aligned to legislative requirements and strategic goals. The CIO ensures that information security
policies and governance practices are established to ensure the quality and integrity of the
agencys information resources and supporting IT systems. They oversee the development of
tools, systems and information technology infrastructure to maximize the access and use of an
agencys information resources.
The Chief Information Officer is responsible for:
Interpreting the business and information needs and wants of the organization
and translating them into ICT initiatives
Setting the strategic direction for information and communications technology
and information management
Ensuring that ICT and information management investment is aligned to the
Ensuring that projects and initiatives are aligned and coordinated to deliver the best
value
Ensuring ICT planning is integrated into business planning
Identifying opportunities for information sharing and cross collaboration on projects and
initiatives.
IT GOVERNANCE X X X
Page 35 of 93
Approval Stamp.
Chairman:
4.7.6.3 CISO- (Chief Information Security Officer) - The information security officer is responsible for
developing and implementing information security policy designed to protect information and any
supporting information systems from any unauthorized access, use, disclosure, corruption or
destruction.
The information security officer shall:
Develop policies, procedures and standards to ensure the security, confidentiality and
privacy of information that is consistent with organizational Information security policy
Monitor and report on any information intrusion incidents and activate strategies to
prevent further incidents.
Work with information custodians to ensure that information assets have been assigned
appropriate security classifications.
Maintenance and upkeep of the asset as defined by the asset owner
System Restart and recovery
Implementing any changes as per the change management procedure
Backup of the information
Updating of information asset inventory register;
Identifying the classification level of information asset;
Defining and implementing appropriate safeguards to ensure the confidentiality,
integrity, and availability of the information asset;
Assessing and monitoring safeguards to ensure their compliance and report situations
of non-compliance;
Authorizing access to those who have a business need for the information, and ensuring
access is removed from those who no longer have a business need for the information.
4.7.6.4 Data Operators / End Users - Employees, Third Parties, Contractors authorized by the Owner /
custodian to access information and use the safeguards established by the Owner / custodian.
Being granted access to information does not imply or confer authority to grant other users
access to that information. The users are bound by the acceptable usage policy of the
organization.
Item Description
IT GOVERNANCE X X X
Page 36 of 93
Approval Stamp.
Chairman:
4.8 [ITD-PL-008] Physical and Environmental Policy
Objective: To ensure the organization appropriately protects buildings and rooms to prevent unauthorized
access, damage, or interference to the information systems therein.
Objective: To ensure the organization appropriately protects information systems equipment from physical
and environmental threats.
This Policy covers all of ADWEAs IT systems, whether managed or hosted internally or externally.
4.8.3 Background
Physical and environmental security programs define the various measures or controls that protect
organizations from loss of connectivity and availability of computer processing caused by theft, fire, flood,
intentional destruction, unintentional damage, mechanical equipment failure and power failures. Physical
security measures shall be sufficient to deal with foreseeable threats and shall be tested periodically for their
effectiveness and functionality.
These are some of the fundamental elements of any Incident management program which can act as
guidelines for developing an appropriate IS incident management policy and process. They are listed below.
Determine which managers are responsible for planning, funding, and operations of physical
security of the Data Center.
Review best practices and standards that can assist with evaluating physical security controls,
such as ISO/IEC 27002:2013 / NESA IAS etc.
Establish a baseline by conducting a physical security controls gap assessment that will include
the following as they relate to your campus Data Center:
o Environmental Controls
o Natural Disaster Controls
o Supporting Utilities Controls
o Physical Protection and Access Controls
o System Reliability
o Physical Security Awareness and Training
o Contingency Plans
IT GOVERNANCE X X X
Page 37 of 93
Approval Stamp.
Chairman:
Determine whether an appropriate investment in physical security equipment (alarms, locks or

other physical access controls, identification badges for high security areas, etc.) has been made
and if these controls have been tested and function correctly.
Provide responsible managers guidance in handling risks.
Maintain a secure repository of physical and environmental security controls and policies and
establish timelines for their evaluation, update and modification.
Create a team of physical and environmental security auditors, outside of the management staff,
to periodically assess the effectiveness of the measures taken and provide feedback on their
usefulness and functionality.
4.8.5.1 Secure areas : ADWEA shall take due care to prevent unauthorized physical access, damage or
interference to the organization's premises and infrastructure, using controls appropriate to the
identified risks and the value of the assets protected. The policies outlined below are geared
towards the same.
4.8.5.1.1 Physical security perimeter : Security perimeters shall be used to protect areas that
contain information and information processing facilities -- using walls, controlled entry
doors/gates, manned reception desks and other measures. The following points need
to be considered:
a) perimeter siting and strength determined by risk assessment;
b) clearly defined and marked perimeters, except in situations where hidden/disguised
perimeters would enhance security;
c) use of physically sound walls, windows and doors, protected with bars, locks, alarms
as appropriate;
d) use of additional physical barriers, where appropriate to prevent unauthorized access
or physical contamination;
e) provision of appropriate protection against fire, water or other reasonably anticipated
environmental threats;
f) use of appropriate intrusion detection systems, such as motion and perimeter alarms,
audio and video surveillance;
g) use of manned reception areas or appropriate lock/ID systems to control passage into
the restricted area;
h) measures designed with sufficient redundancy such that a single point of failure does
not compromise security; and
i) regular maintenance to and review of the adequacy of the components of these
physical protections.
IT GOVERNANCE X X X
Page 38 of 93
Approval Stamp.
Chairman:
4.8.5.1.2 Physical entry control : Secure areas shall be protected by appropriate entry controls
to ensure that only authorized personnel are allowed access. The following points need
to be considered.
a. authentication mechanisms (e.g., keycard and PIN) proportionate to the identified risks
and the value of the asset(s) protected;
b. recording of date/time of entry and exit, and/or video recording of activities in the
entry/exit area, as appropriate;
c. requirement for authorized personnel to wear visible identification, and to report
persons without such identification;
d. appropriate authorization and monitoring procedures for third-party personnel who
must be given access to the restricted area; and
e. regular review and, when indicated, revocation of access rights (see also human
resources security.)
4.8.5.1.3 Secure offices, rooms and facilities : Physical security for offices, rooms and
facilities shall be designed and implemented. The following points need to be
considered:
a. use of measures that are commensurate to the identified risks and the value of the
assets at risk in each setting;
b. use of measures that balance relevant health, safety and related regulations and
standards;
c. use of highly visible controls, where appropriate as a deterrent;
d. use of unobtrusive or hidden controls/facilities, where appropriate for highly sensitive
assets; and
e. restrictions on information about facilities, including directory and location
information.
4.8.5.1.4 Protecting against external and environmental threats : Physical protection against
damage from fire, flood, wind, earthquake, explosion, civil unrest and other forms of
natural and man-made risk shall be designed and implemented. The following points
need to be considered:
a. consideration of probabilities of various categories of risks and value of assets
protected against those risks;
b. consideration of security threats posed by neighboring facilities and structures;
c. appropriate fire-fighting equipment and other counter-measures provided and suitably
located on site; and
d. appropriate siting of backup facilities and data copies in a suitable location off-site.
IT GOVERNANCE X X X
Page 39 of 93
Approval Stamp.
Chairman:
4.8.5.1.5 Working in secure areas : Physical protection and guidelines for working in secure
areas shall be designed and implemented. The following points need to be considered:
a. limiting personnel's awareness of, and activities within, a secure location on a need-to-
know basis;
b. limiting or prohibiting unsupervised/unmonitored work in secure areas, both for safety
reasons and to avoid opportunities for malfeasance;
c. keeping vacant secure areas locked, subject to periodic inspection, and/or monitored
remotely as appropriate by video or other technologies;
d. limiting video, audio or other recording equipment, including cameras in portable
devices, in secure areas.
4.8.5.1.6 Public access (or any delivery and loading access) :Access points such as delivery
and loading areas, and other points where unauthorized persons may enter the
premises, shall be controlled. The following points need to be considered.
a. limits on access to the delivery and loading areas, and to other public access areas, to
the degree possible;
b. inspection of incoming and outgoing materials, and separation of incoming and
outgoing shipments, where possible; and
c. isolation of these areas from information processing facilities and areas where
information is stored, where possible.
4.8.5.2 Equipment security : ADWEA shall take due measures to prevent loss, damage, theft or
compromise of assets or interruption to the organization's activities.
4.8.5.2.1 Equipment siting and protection: Equipment shall be sited or protected to reduce the
risks from environmental threats and hazards, and to reduce the opportunities for
unauthorized access by human threats. The following points need to be considered.
a. siting to minimize unnecessary risks to the equipment, and to reduce the need for
unauthorized access to sensitive areas;
b. siting to isolate items requiring special protection, to minimize the general level of
protection required;
c. use of particularized controls as appropriate to minimize physical threats -- e.g., theft
or damage from vandalism, fire, water, dust, smoke, vibration, electrical supply
variance, or electromagnetic radiation; and
d. guidelines for eating, drinking, smoking or other activities near equipment.
IT GOVERNANCE X X X
Page 40 of 93
Approval Stamp.
Chairman:
4.8.5.2.2 Supporting utilities: Equipment shall be protected from power failures,

telecommunications failures, and other disruptions caused by failures in supporting
utilities such as HVAC, water supply and sewage. The following points need to be
considered.
a. assuring that the supporting utilities are adequate to support the equipment under
normal operating conditions; and
b. making reasonable provision for backups (e.g., a UPS) in the event of supporting
utility failure.
4.8.5.2.3 Cabling security: Power and telecommunications cabling carrying sensitive data or
supporting information services shall be protected from interception or damage. The
following points need to be considered:
a. physical measures to prevent unauthorized interception or damage, including
additional protections for sensitive or critical systems;
b. alternate/backup routings or transmission media where appropriate, particularly for
critical systems;
c. clearly identified cable and equipment markings, except where security is enhanced by
removing/hiding such markings; and
d. documentation of patches and other maintenance activities.
4.8.5.2.4 Equipment maintenance: Equipment shall be correctly maintained to ensure its
continued availability and integrity. The following points need to be considered:
a. appropriate preventive maintenance;
b. documentation of all maintenance activities, including scheduled preventive
maintenance;
c. documentation of all suspected or actual faults, and associated remediation;
d. maintenance only by authorized employees or contracted third parties; and
e. appropriate security measures, such as clearing of information or supervision of
maintenance processes, appropriate to the sensitivity of the information on or
accessible by the devices being maintained;
4.8.5.2.5 Security of equipment off-premises: Appropriate security measures shall be applied
to off-site equipment, considering the different risks of working outside the
organization's premises. The following points need to be considered:
a. authorization of any off-site processing of organizational information, regardless of the
ownership of the processing device(s);
b. security controls for equipment in transit and in off-site premises, appropriate to the
setting and the sensitivity of the information on or accessible by the device;
c. adequate insurance coverage, where third-party insurance is cost-effective; and
d. employee and contractor awareness of their responsibilities for protecting information
and the devices themselves, and of the risks of off-premises environments.
IT GOVERNANCE X X X
Page 41 of 93
Approval Stamp.
Chairman:
4.8.5.2.6 Secure disposal or re-use of equipment : All equipment containing storage media
shall be checked to ensure that sensitive data and licensed software has been
removed or securely overwritten prior to disposal. The following points need to be
considered:
a) use of generally accepted methods for secure information removal, appropriate to the
sensitivity of the information known or believed to be on the media;
b) secure information removal by appropriately trained personnel, or verification of
secure information removal by appropriately trained personnel.
4.8.5.2.7 Removal of property : Equipment, information or software shall not be taken off-
premises without prior authorization. The following points need to be considered:
c) limitations on types/amounts of information or equipment that may be taken off-site;
d) recording of off-site authorizations and inventory of equipment and information taken
off-site; and
e) for persons authorized to take equipment or information off-site, appropriate
awareness of security risks associated with off-premises environments and training in
appropriate controls and counter-measures.
As per the Roles and Responsibilities section at the end of the overall IT policy set.
Item Description
IT GOVERNANCE X X X
Page 42 of 93
Approval Stamp.
Chairman:
4.9 [ITD-PL-009] Operations Security Policy
To ensure the effective operation and security of information processing facilities.

To protect the confidentiality, integrity, and availability (CIA) of information technology
resources and data.
To ensure the integrity and availability of information processed and stored within information
processing facilities.
To detect unauthorized activities occurring that may have a detrimental effect upon information
processing facilities.
To ensure the integrity of operating systems.
To prevent exploitation of technical vulnerabilities.
Minimize the impact of audit activities on operational systems.
This policy covers all of ADWEAs Information resources and supporting systems, whether managed or
hosted internally or externally.
4.9.3 Background
Operations security involves planning and sustaining the day-to-day rubber meets the road processes that
are critical to maintaining the security of organizations information environments. The extent and
complexity of security operations will vary between organizations based on their risk tolerances and resource
levels. However the most important aspect of operations security is that the operations themselves need to be
repeatable, reliable, and consistently performed.
To be 7 key guiding security controls for any policy / process development for Operational security are listed
below.
Operational Procedures and Responsibilities- Important operational processes include Change
Management, Capacity Management, Separation of Development, Test, and Operations
Environments.
Protection from Malware
Backups of all critical business information.
Logging and Monitoring of all critical IT systems
Control of Operational Software
Technical Vulnerability Assessment and Management
IT GOVERNANCE X X X
Page 43 of 93
Approval Stamp.
Chairman:
Information System Audit Considerations
4.9.5.1 Operational procedures and responsibilities: ADWEA shall take due measures to ensure the
correct and secure operation of information processing facilities. To this effect the below
mentioned policies have been instituted.
4.9.5.1.1 Documented operating procedures :

Operating procedures shall be documented, maintained and made available to all users who need them.
The following points need to be considered:
o documentation of/for all significant system activities including start-up, close-down,
back-up and maintenance;
o treatment of such documentation as a formal organizational record, subject to
appropriate change authorization, change tracking and archiving; and
o provision of appropriate security for such documentation, including distribution
control.
4.9.5.1.2 Change management
Changes to information processing facilities and systems shall be controlled using appropriate change
management procedures. The following points need to be considered:
o risk assessments, including an analysis of potential impacts and necessary
countermeasures or mitigation controls;
o processes for planning and testing of changes, including fallback (abort/recovery)
measures;
o managerial approval and authorization before proceeding with changes that may have
a significant impact on operations;
o advance communication/warning of changes, including schedules and a description of
reasonably anticipated effects, provided to all relevant persons;
o documentation of changes made and the prior steps in the change management
process.
4.9.5.1.3 Segregation of duties
Duties and areas of responsibility shall be segregated to the degree practicable, to reduce opportunities for
unauthorized or unintentional modification or misuse of the organization's assets.
4.9.5.1.4 Separation of development, test and operational facilities
Development, test and operational facilities shall be separated, to the degree practicable, to reduce risks of
unauthorized access or changes to the operational system.
IT GOVERNANCE X X X
Page 44 of 93
Approval Stamp.
Chairman:
4.9.5.2 Third party delivery management: This category aims to implement and maintain the appropriate
level of information security and service delivery in the context of third-party service delivery
agreements.
4.9.5.2.1 Service delivery

Security controls, service definitions and delivery levels shall be included in third-party service delivery
agreements.
4.9.5.2.2 Monitoring and review of third-party services
Services, reports and records provided by the third party shall be regularly monitored and reviewed, and
appropriate audits conducted.
4.9.5.2.3 Managing changes to third-party services
Changes to the provision of services, including maintaining and improving existing information security
policies, procedures and controls, shall be appropriately managed. The following points need to
be considered:
o considering the criticality of the business system(s) and process(es); and
o using appropriate change management procedures, like those applied to internal
service changes.
4.9.5.3 System planning and acceptance : This category aims to minimize the risk of systems failures.
4.9.5.3.1 Capacity management

The use of information and information facility resources shall be appropriately monitored, and
projections made of future capacity requirements to ensure adequate systems performance. The
o identification of capacity requirements for each new and ongoing system/service;
o projection of future capacity requirements, considering current use, projected trends,
and anticipated changes in business requirements; and
o system monitoring and tuning to ensure and, where possible, improve availability and
effectiveness of current systems.
4.9.5.3.2 System acceptance
Acceptance criteria for new information systems, upgrades, and new versions shall be appropriately
established, and suitable tests of the system(s) carried out during development and prior to
acceptance. The following points need to be considered:
IT GOVERNANCE X X X
Page 45 of 93
Approval Stamp.
Chairman:
o clear definition of, agreement on, testing of, and documentation of compliance with
requirements for system acceptance; and
o consultation with affected persons, or representatives of affected groups, at all phases
of the process.
4.9.5.4 Protection against malicious and mobile code: This category aims to protect the
integrity of software and information.
4.9.5.4.1 Controls against malicious code

Appropriate controls shall be implemented for prevention, detection and response to malicious code,
including appropriate user awareness. The following points need to be considered:
o formal policies prohibiting the use or installation of unauthorized software, including a
prohibition of obtaining data and software from external networks;
o formal policies requiring protective measures, such as installation of anti-virus and
anti-spyware software, and for the regular updating of it;
o periodic reviews/scans of installed software and the data content of systems to identify
and, where possible, remove any unauthorized software;
o defined procedures for response to identification of malicious code or unauthorized
software;
o continuity/recovery plans to deal with system interruptions and failures caused by
malicious code; and
o user awareness training on these policies and methods.
4.9.5.4.2 Controls against mobile code

Appropriate controls shall be implemented to control the operation of, and prevent damage from malicious
versions of, mobile code.
4.9.5.5 Back-up : This category aims to maintain the integrity and availability of organizational
information.
4.9.5.5.1 Information back-up

Back-up copies of information and software shall be made, and tested at appropriate intervals, in
accordance with an agreed-upon back-up policy. The following points need to be considered:
o formal definition of the level of backup required for each system -- scope of data to be
imaged, frequency of imaging, duration of retention -- based on legal-regulatory-
certificatory standards and business requirements;
IT GOVERNANCE X X X
Page 46 of 93
Approval Stamp.
Chairman:
o complete inventory records for the back-up copies, including content and current
location;
o complete documentation of restoration procedures for each system;
o storage of the back-ups in a remote location, at a sufficient distance to make them
reasonably immune from damage to data at the primary site;
o appropriate physical and environmental controls for the back-up copies where-ever
located;
o appropriate technical controls, such as encryption, for back-up copies of sensitive
information;
o regular testing of back-up media.
o regular testing of restoration procedures.
4.9.5.6 Network security management :This category aims to ensure the protection of information in
networks and protection of the supporting network infrastructure.
4.9.5.6.1 Network controls

Networks shall be appropriately managed and controlled, to be protected from threats, and to maintain
security for the systems and applications using the network, including information in transit. The
o separation of operational responsibilities for networks from those for computer
systems and operations, where appropriate;
o implementation of appropriate controls to assure the availability of network services
and information services using the network;
o establishment of responsibilities and procedures for management of equipment on the
network, including equipment in user areas;
o special controls to safeguard the confidentiality and integrity of sensitive data passing
over the organization's network and to/from public networks;
o appropriate logging and monitoring of network activities, including security-relevant
actions; and
o management processes to ensure coordination of and consistency in the elements of
the network infrastructure.
4.9.5.6.2 Security of network services

Security features, service levels and management requirements for all network services shall be identified
in reasonable detail, and included in a network services agreement, whether those services are
provided in-house or outsourced. The following points need to be considered specification of:
o technologies applied for security of network services, such as authentication,
encryption and connection controls;
IT GOVERNANCE X X X
Page 47 of 93
Approval Stamp.
Chairman:
o technical parameters and rules for secured connection with the network; and
o procedures and processes to control/restrict network access.
4.9.5.7 Media handling :This category aims to prevent unauthorized disclosure, modification, removal or
destruction of information assets, or interruptions to business activities.
4.9.5.7.1 Management of removable media

Procedures and supporting standards shall be established for management of removable media. The
o where appropriate to the sensitivity of the data, logging and an audit trail of removals
of media from or relocations within the organization's premises;
o where appropriate to the sensitivity of the data, a requirement for authorization prior to
removal or relocation;
o appropriate redundancy of storage in light of the risks to the removable media,
including where storage retention requirements exceed the rated life of the media;
o restrictions on the type(s) of media, and usages thereof, where necessary for adequate
security;
o registration of certain type(s) of media; and
o secure disposal of media when no longer needed (see next).
4.9.5.7.2 Disposal of media
Media shall be disposed of securely and safely when no longer required, using formal procedures. The
o use of generally-accepted secure disposal methods for media that contain (or might
contain) sensitive data;
o procedures and policies to identify data that qualifies as sensitive, or a policy that all
information will be considered sensitive in the absence of unequivocal evidence to the
contrary; and
o where appropriate to the sensitivity of the data, logging and an audit trail of disposal
operations.
4.9.5.7.3 Information handling procedures

Appropriate procedures for the handling and storage of information shall be established to protect data
from unauthorized disclosure or misuse. The following points need to be considered:
o physical and technical access restrictions appropriate to the data sensitivity level;
o handling and labelling of all media per its indicated classification (sensitivity) level;
o where appropriate to the sensitivity, maintenance of formal records of data transfers,
including logging and an audit trail; and
o review at appropriate intervals of distribution and authorized recipient lists.
IT GOVERNANCE X X X
Page 48 of 93
Approval Stamp.
Chairman:
4.9.5.7.4 Security of system documentation

System documentation shall be appropriately protected against unauthorized access. The following points
o secure storage of documentation, whether in paper and electronic form; and
o authentication and access control measures, where appropriate to the sensitivity of the
documentation.
As per the Roles and Responsibilities section at the end of the overall IT policy set..
Item Description
IT GOVERNANCE X X X
Page 49 of 93
Approval Stamp.
Chairman:
4.10 [ITD-PL-010] Communications Policy
To ensure the protection of information in networks and its supporting information processing
facilities.
To maintain the security of information transferred within an organization and with any external
entity.
4.10.3 Background
Communications encompasses the breadth of digital data flows both within an organization and between
external entities across network infrastructures. These flows now include data, voice, video, and all their
associated signaling protocols. Securing these information flows as they traverse Intranets, Extranets, and
Internet requires effective network infrastructure management as well as controls, policies, and procedures.
When beginning the process of developing and establishing a secure communications policy/ program , the
following fundamentals must be considered and adhered to:
Develop policies and standards that support the:
o Establishment of clear authority and accountability for network management.
o Risk based segregation of groups of systems, users, and information systems
o Authority to control, actively monitor, and log traffic traversing designated ingress and
egress points.
Identify threats related to the communications environment.
o Evaluate threat scenarios and methods of network attack (reconnaissance, exploitation,
data exfiltration)
Identify the most critical systems, data, or equipment within the network.
Use routing and firewalls to define the network perimeter.
Use a border firewall and/or Intrusion Detection/Prevention devices to limit entry/exit of network
traffic.
Define the demilitarized zone of the network where the public can access limited network
resources, as well as public access points to the network such as open access ports and public
WiFi.
IT GOVERNANCE X X X
Page 50 of 93
Approval Stamp.
Chairman:
Define restricted portions of the network for use by authorized staff and facility personnel; use
identity and access management controls for users and systems on the network.
Define highly restricted portions of the network such as within data centers, communications
facilities, or other highly restricted areas.
Establish information transfer policies and encryption standards that address varied needs for
confidentiality, integrity, and non-repudiation of internal and external data exchanges.
4.10.5.1 Exchange of information: This category aims to maintain the security of information and software
exchanged within an organization and with any external entity.
4.10.5.1.1 Information exchange policies and procedures

Formal exchange policies and procedures shall be implemented to protect the exchange of information,
covering the use of all types of communications facilities and data storage media. The following
points need to be considered:
o procedures designed to protect exchanged information from interception, copying,
modification, mis-routing or destruction;
o procedures for the detection of and protection against malicious code (see also
"controls against malicious code" policy);
o procedures for the protection of wireless communications;
o use of cryptographic methods where appropriate to achieve sufficient protections;
o policies or guidelines about acceptable and unacceptable uses of communications
facilities and media;
o retention and disposal guidelines for all business information;
o user awareness and training about these policies and guidelines; and
o compliance with all relevant legal-regulatory-certificatory requirements for
information exchange.
4.10.5.1.2 Exchange agreements

Agreements shall be established for the exchange of information and software between the organization
and external parties. The following points need to be considered:
o specification of management responsibilities for controlling/approving agreements
about transmissions and receipts;
o procedures to ensure appropriate identification and labelling, appropriate notifications
to sender and recipient, traceability and non-repudiation;
o minimum technical standards for packing and transmission;
IT GOVERNANCE X X X
Page 51 of 93
Approval Stamp.
Chairman:
o specification of ownership and responsibilities for data protection, copyright, license

compliance and similar considerations (see also Compliance policy section);
o specification of responsibilities and liabilities in the event of an information security
incident;
4.10.5.1.3 Physical media in transit

Media containing information shall be protected against unauthorized access, misuse or corruption. The
o procedures and standards for authorizing couriers, and a list of currently authorized
couriers; and
o packaging standards, including technical protections (e.g.,encryption); and
o physical protection standards (e.g., locked containers, tamper-evident tagging).
4.10.5.1.4 Electronic messaging
Information involved in electronic messaging shall be appropriately protected. Electronic messaging
includes email, IM, audio-video conferencing and any other one-to-one, one-to-many, or many-
to-many personal communications. The following points need to be considered:
o protecting messages from unauthorized access, modification or diversion;
o ensuring correct addressing and transportation;
o ensuring the general reliability and availability of messaging services;
o limiting the use of less-secure messaging systems (e.g., public IM); and
o stronger levels of authentication and message content protection when using public
networks.
4.10.5.1.5 Business information systems

Necessary standards and procedures shall be developed and implemented to protect information associated
with the interconnection of business systems. The following points need to be considered:
o a risk assessment of and appropriate countermeasures for vulnerabilities associated
with such interconnections;
o policies and appropriate controls to manage information sharing using such
interconnections;
o fallback and recovery arrangements in the event of interconnection failure.
4.10.5.2 Electronic commerce services: This category aims to ensure the security of electronic commerce
services and their secure use.
IT GOVERNANCE X X X
Page 52 of 93
Approval Stamp.
Chairman:
4.10.5.2.1 Electronic commerce

Information involved in electronic commerce passing over public networks shall be appropriately
protected from fraudulent activity, contract dispute, and unauthorized disclosure and
modification.
4.10.5.2.2 On-line transactions
Information involved in on-line transactions shall be appropriately protected to prevent incomplete
transmission, mis-routing, unauthorized message alteration, unauthorized disclosure,
unauthorized message duplication or replay.
4.10.5.2.3 Publicly available information
The integrity of information being made available on a publicly available system, such as a Web server,
shall be appropriately protected to prevent unauthorized modification.
4.10.5.3 Monitoring: This category aims to detect unauthorized information processing activities.
4.10.5.3.1 Audit logging

Audit logs that record user activities, exceptions, and information security events shall be produced, and
kept for an agreed-upon time period, to assist in future investigations and access control
monitoring. The following points need to be considered:
o recording, when relevant and within the capacity of the logging system, all key events,
including the data/time and details of the event, the user-ID associated, terminal
identity and/or location, network addresses and protocols, records of successful and
unsuccessful system accesses or other resource accesses, changes to system
configurations, use of privileges, use of system utilities and applications, files accessed
and the kinds of access, alarms raised by the access control or any other protection
system (e.g., ID/IP);
o appropriate privacy protection measures for logged data that is appropriately
confidential;
o appropriate security protections of a technical, physical and administrative nature (e.g.,
division of responsibilities) to ensure integrity and availability of audit logs.
4.10.5.3.2 Monitoring system use
Procedures for monitoring use of information processing facilities shall be established and the results of
monitoring activities regularly reviewed. The following points need to be considered:
o event tracking and recording as specified in the "audit trail" policy;
o monitoring and review of data as determined by the criticality of the
application/system or information involved, past experience with information security
incidents, and general risk assessment.
IT GOVERNANCE X X X
Page 53 of 93
Approval Stamp.
Chairman:
4.10.5.3.3 Protection of log information

Logging facilities and log information shall be appropriately protected against tampering and unauthorized
access.
4.10.5.3.4 Administrator and operator logs
System administrator and system operator activities shall be appropriately logged, as part of the general
audit trail process.
4.10.5.3.5 Fault logging
Faults shall be appropriately logged, analyzed and actions taken.
4.10.5.3.6 Clock synchronization
The clocks of all relevant information processing systems within an organization or security domain shall
be appropriately synchronized with an agreed-upon time source.
Item Description
IT GOVERNANCE X X X
Page 54 of 93
Approval Stamp.
Chairman:
4.11 [ITD-PL-011] Access Control Policy
To cover of the stages of user access life-cycle - from determining the types and affiliation of
organizational users and their corresponding privileges to procedures to revoke and disable their
access.
To underscore the importance of the active participation of users in safeguarding the access
privileges and credentials and privileges provided to them and practices needed to prevent the
unauthorized user access and disclosure of privileged information.
To cover the mechanisms that an organization can use to ensure that only authorized users have
access to organizational computing devices.
4.11.3 Background
A basic element of any organization's information security program is the protection of information
resources that support the critical operations of the organization from unauthorized access, modification, or
disclosure. Access control is basically the use of administrative, physical, or technical security features to
manage how users and systems communicate and interact with other information resources.
The following comprise the core principles for developing an access control policy framework.
Roles and responsibilities related.
Need-to-Know: Access only to information needed to perform assigned tasks.
Need-to-Use: Access only to information resources needed to perform assigned tasks
Access levels and privileges by role
Periodic review and removal of access levels and privileges
Segregation of duties for requesting, authorizing, and reviewing access levels and privileges
What is required to identify users?
Requirement for vetting users in person
Requirement to archive records concerning user identification and credentialing
What criteria is used to determine the types of credentials used?
What criteria is used to determine the level of access to applications and services?
IT GOVERNANCE X X X
Page 55 of 93
Approval Stamp.
Chairman:
Identification of roles with privileged access

Contractual obligations for limiting access granted to vendors and partners
What is required from identity providers and from service providers?
Requirement to identify the security requirements of applications - both, purchased and
developed internally
Requirement to determine the Level of Authentication (LOA) required to access a service based
on risk
4.11.5.1 Business requirements for access control: The objective of this category is to control access to
information, information processing facilities, and business processes.
4.11.5.1.1 Access control policy elements

This policy shall be periodically reviewed, based on business needs and external requirements. Access
control policy and associated controls shall take account of:
o security issues for particular data systems, given business needs, anticipated threats
and vulnerabilities;
o security issues for particular types of data, given business needs, anticipated threats
and vulnerabilities;
o all relevant legislative, regulatory and certificatory requirements;
o relevant contractual obligations or service level agreements;
o other organizational policies for information access, use and disclosure; and
o consistency among such policies across the organization's systems and networks;
Related standard documents need to be developed which shall include:
o clearly stated rules and rights based on user profiles;
o consistent management of access rights across a distributed/networked environment;
o an appropriate mix of logical (technical) and physical access controls;
o segregation of access control roles -- e.g., access request, access authorization, access
administration;
o requirements for formal authorization of access requests ("provisioning"); and
o requirements for authorization and timely removal of access rights ("de-
provisioning").
4.11.5.2 User access management : This category aims to ensure authorized user access, and prevent
unauthorized access, to information and information systems. It typically mandates the below:
o formal procedures to control the allocation of access rights;
IT GOVERNANCE X X X
Page 56 of 93
Approval Stamp.
Chairman:
o procedures cover all stages in the life-cycle of user access, from provisioning to de-
provisioning;
o special attention to control of privileged ("super-user") access rights; and
o appropriate technical measures for identification and authentication to ensure
compliance with defined access rights.
4.11.5.2.1 User registration

Formal user registration and de-registration procedures shall be implemented, for granting and revoking
access to all information systems and services. The following points need to be considered:
o assignment of unique user-IDs to each user;
o documentation of approval from data system owner for each user's access;
o confirmation by supervisor or other personnel that each user's access is consistent with
business purposes and other security policy controls (e.g., segregation of duties);
o giving each user a written statement of their access rights and responsibilities;
o requiring users to sign statements indicating they understand the conditions of access;
o ensuring service providers do not grant access until all authorization procedures are
completed;
o maintaining a current record of all users authorized to use a particular system or
service;
o immediately changing/eliminating access rights for users who have changed roles or
left the organization;
o checking for and removing redundant or apparently unused user-IDs.
4.11.5.2.2 Privilege management
Allocation and use of access privileges shall be restricted and controlled. The following points need to be
considered:
o development of privilege profiles for each system, based on intersection of user
profiles and system resources;
o granting of privileges based on these standard profiles when possible;
o a formal authorization process for all privileges;
o maintaining a current record of privileges granted;
4.11.5.2.3 User password management
Allocation of passwords shall be controlled through a formal management process. The following points
o requiring users to sign a statement indicating they will keep their individual passwords
confidential and, if applicable, any group passwords solely within the group;
o secure methods for creating and distributing temporary, initial-use passwords;
IT GOVERNANCE X X X
Page 57 of 93
Approval Stamp.
Chairman:
o forcing users to change any temporary, initial-use password;

o development of procedures to verify a user's identity prior to providing a replacement
password ("password reset");
o prohibiting "loaning" of passwords;
o prohibiting storage of passwords on computer systems in unprotected form; and
o prohibiting use of default vendor passwords, where applicable.
4.11.5.2.4 User access token management

Allocation of access tokens, such as key-cards, shall be controlled through a formal management process.
o requiring users to sign a statement indicating they will keep their access tokens secure;
o secure methods for creating and distributing tokens;
o use of two-factor tokens (token plus PIN) where appropriate and technically feasible;
o development of procedures to verify a user's identity prior to providing a replacement
token; and
o prohibiting "loaning" of tokens.
4.11.5.2.5 Review of user access rights
Each user's access rights shall be periodically reviewed using a formal process. The following points need to
be considered:
o review at regular intervals, and after any status change (promotion, demotion, transfer,
termination);
o more frequent review of privileged ("super user") access rights;
4.11.5.3 User responsibilities : This category aims to prevent unauthorized access to, and compromise or
theft of, information and information systems. It includes user awareness of:
o responsibilities for maintaining authentication security, particularly regarding
password and token safety
o responsibilities for securing computers and other office equipment.
4.11.5.3.1 Password use

Users shall follow good security practices in the selection and use of passwords. The following points
need to be considered advising/requiring users to:
o keep passwords confidential and not "share" them;
o avoid keeping a paper or electronic record of passwords, unless this can be done
securely;
o change a password when there is any suspicion that it has been compromised, and
report the suspicion;
IT GOVERNANCE X X X
Page 58 of 93
Approval Stamp.
Chairman:
o select "strong" passwords that are resistant to dictionary, brute force or other standard
attacks;
o change passwords periodically;
o change a temporary password on first log-on;
o avoid storing passwords in automated log-on processes;
o not use the same password for business and non-business purposes;
o use the same password for multiple systems/services only where a reasonable level of
security can be assured for each.
4.11.5.3.2 Access token use
Users shall follow good security practices in the use of tokens. The following points need to be considered
advising/requiring users to:
o keep tokens secure and not "share" them;
o avoid keeping a paper or electronic record of PIN associated with a two-factor token;
and
o report when a token is lost or there is any suspicion that it has been compromised.
4.11.5.3.3 Monitoring of activity history
Users shall monitor password/token activity history where available. The following points need to be
considered advising/requiring users to:
o observe and report discrepancies in "last successful login" and "last unsuccessful
login" information, when it is available; and
o observe and report discrepancies in date/time information for all other activities which
have timestamps, such as file accesses or modifications.
4.11.5.3.4 Appropriate use of user equipment
Users shall observe appropriate physical and technical practices with respect to the equipment assigned to
them. The following points need to be considered:
o requirement to limit use to performing appropriate functions in an appropriate manner;
and
o user training in appropriate functions and use; and
o monitoring of user behavior through appropriate technical means.
4.11.5.3.5 Unattended user equipment
Users shall ensure that unattended computing equipment has appropriate protection. Unattended equipment
controls mandated by this policy includes but is not limited to:
o terminating active (logged-in) sessions before a device is left unattended, unless it can
be securely "locked" (e.g., with a password-protected screensaver);
IT GOVERNANCE X X X
Page 59 of 93
Approval Stamp.
Chairman:
o physically securing devices, or the area in which a device is located, with a key-lock or
equivalent if a device will be unattended.
4.11.5.3.6 "Clear desk - clear screen" policy

Users shall ensure that desks and other work areas are kept cleared of papers and any storage media when
unattended. Computer screens shall be kept clear of sensitive information when unattended.
4.11.5.3.7 "Clear equipment" policy
Photocopiers, fax machines and other office equipment shall be kept cleared of papers and any storage media
when unattended.
4.11.5.4 Network access control : The purpose of this section is to outline policies that support prevention
of unauthorized access to network services.
4.11.5.4.1 Policy on use of network services

Users shall only be provided with access to the services that they have been specifically authorized to use.
o authorization procedures for determining who is allowed to access to which networks
and network services, consistent with other access rights; and
o policies on deployment of technical controls to limit network connections.
4.11.5.4.2 User authentication for external connections
Appropriate authentication methods shall be used to control remote access to the network.
4.11.5.4.3 Equipment/location identification in networks
Where appropriate and technically feasible, access to the network shall be limited to identified devices or
locations.
4.11.5.4.4 Remote diagnostic and configuration port protection
Physical and logical access to diagnostic and configuration ports shall be appropriately controlled. The
o physical security for on-site diagnostic and configuration ports;
o technical security for remote diagnostic and configuration ports; and
o disabling/removing ports, services and similar facilities which are not required for
business functionality.
4.11.5.4.5 Segregation in networks

Where appropriate and technically feasible, groups of information services, users and services shall be
segregated on networks. The following points need to be considered:
o separation into logical domains, each protected by a defined security perimeter;
IT GOVERNANCE X X X
Page 60 of 93
Approval Stamp.
Chairman:
o secure gateways between/among logical domains.

4.11.5.4.6 Network connection control
Capabilities of users to connect to the network shall be appropriately restricted, consistent with access
control policies and applications requirements. The following points need to be considered:
o filtering by connection type (e.g., messaging, email, file transfer, interactive access,
applications access).
4.11.5.4.7 Network routing control

Routing controls shall be implemented to ensure that computer connections and information flows do not
breach the access control policy of the business applications. The following points need to be considered:
o positive source and destination address checking;
o routing limitations based on the access control policy.
4.11.5.5 Operating system access control : The purpose of this section is to outline policies that support
prevention of unauthorized access to operating systems, and the data and services thereof.
Controls shall be implemented to restrict data system access to authorized users, by requiring authentication
of authorized users in accordance with the defined access control policy. Controls include:
o providing mechanisms for authentication by knowledge-, token- and/or biometric-
factor methods as appropriate;
o recording successful and failed system authentication attempts;
o recording the use of special system privileges; and
o issuing alarms when access security controls are breached.
4.11.5.5.1 Secure log-on procedures

Access to data systems shall be controlled by secure log-on procedures. The following points need to be
considered:
o display of a general notice warning about authorized and unauthorized use;
o no display of system or application identifiers until successful log-on;
o no display of help messages prior to successful log-on that could aid an unauthorized
user;
o validation or rejection of log-on only on completion of all input data (e.g., both user-
ID and password);
o no display of passwords as entered (e.g., hide with symbols);
o no transmission of passwords in clear text;
o limits on the number of unsuccessful log-on attempts in total or for a given time
period;
IT GOVERNANCE X X X
Page 61 of 93
Approval Stamp.
Chairman:
o logging of successful and unsuccessful log-on attempts;

o limits on the maximum and minimum time for a log-on attempt; and
o on successful log-on, display date/time of last successful log-on and any unsuccessful
attempts;
4.11.5.5.2 User identification and authentication

All data system users shall have a unique identifier ("user-ID") for their personal use only. A suitable
authentication technique -- knowledge-, token- and/or biometric-based -- shall be chosen to authenticate the
user. The following points need to be considered:
o shared user-IDs are employed only in exceptional circumstances, where there is a clear
justification;
o generic user-IDs (e.g., "guest") are employed only where no individual-user audit is
required and limited access privileges otherwise justify the practice;
o strength of the identification and authentication method (e.g., use of multiple
authentication factors) are suitable to the sensitivity of the information being accessed;
and
o regular user activities are not performed from privileged accounts.
4.11.5.5.3 Password management system
Systems for managing passwords shall ensure the quality of this authentication method. The following points
o log-on methods enforce use of individual user-IDs and associated passwords;
o set/change password methods enforce choice of strong passwords;
o force change of temporary password on first log-on;
o enforce password change thereafter at reasonable intervals;
o store passwords separately from application data; and
o store and transmit passwords in encrypted form only.
4.11.5.5.4 Access token management system

Systems for managing access tokens shall ensure the quality of this authentication method.
4.11.5.5.5 Use of system utilities
Use of system utilities that are capable of overriding other controls shall be restricted, and appropriately
monitored (e.g., by special event logging processes).
4.11.5.5.6 Session time-out
Interactive sessions shall shut down and "lock out" the user after a defined period of inactivity. Resumption
of the interactive session shall require re-authentication. The following points need to be considered:
o time-out periods that reflect risks associated with type of user, setting of use and
sensitivity of the applications and data being accessed;
IT GOVERNANCE X X X
Page 62 of 93
Approval Stamp.
Chairman:
o waiver or relaxation of time-out requirement when it is incompatible with a business

process, provided other steps are taken to reduce vulnerabilities (e.g., removal of
sensitive data, removal of network connection capabilities).
4.11.5.5.7 Limitation of connection time

Restrictions on connection times shall be used to provide additional security for high-risk applications or
remote communications capabilities. The following points need to be considered:
o restricting connection time (e.g., to normal office hours);
o restricting connection locations (e.g., to IP address ranges); and
o requiring re-authentication at timed intervals.
4.11.5.6 Application and information access control : This category aims to prevent unauthorized access
to information held in application systems.
4.11.5.6.1 Information access restriction

Access to information and application system functions by users and support personnel shall be restricted
in accordance with a defined access control policy that is consistent with the organizational
access policy.
4.11.5.6.2 Sensitive system isolation
Sensitive systems shall have a dedicated (isolated) computing environment. The following points need to
be considered:
o explicit identification and documentation of sensitivity by each system/application
controller; and
o explicit identification and acceptance of risks when a shared facilities and/or resources
must be used.
4.11.5.7 Mobile computing and teleworking : This category aims to ensure information security when
using mobile computing and teleworking facilities. Controls shall be implemented that are
commensurate with the:
o type of user(s);
o setting(s) of mobile/teleworking use; and
o sensitivity of the applications and data being accessed from mobile/teleworking
settings.
4.11.5.7.1 Mobile computing and communications

This policy element ensures that appropriate security measures are adopted, for mobile computing and
communications activities. Controls shall apply to laptop, notebook, and tablet computers; mobile phones
IT GOVERNANCE X X X
Page 63 of 93
Approval Stamp.
Chairman:
and "smart" phone-PDAs; and portable storage devices and media. Controls include requirements for
ensuring:
o physical protection;
o data storage minimization;
o access controls;
o cryptographic techniques;
o data backups;
o anti-virus and other protective software;
o operating system and other software updating;
o secure communication (e.g., VPN) for remote access; and
o sanitization prior to transfer or disposal.
4.11.5.7.2 Teleworking
Under this policy element appropriate standards , procedures and security measures shall be adopted or
developed, for "teleworking" activities in off-premises locations. The following points need to be
considered:
o physical security measures at the off-premises site;
o appropriate access controls, given reasonably anticipated threats from other users at
the site (e.g., family members);
o cryptographic techniques for data storage at and communications to/from the site;
o data backup processes and security measures for those backup copies;
o security measures for wired and wireless network configurations at the site;
o policies regarding intellectual property used or created at the site, including software
licensing;
o policies regarding organizational property used at the site (e.g., organizations'
computing hardware);
o policies regarding private property used at the site (e.g., teleworkers' computing
hardware);
o insurance coverage or other specification of financial responsibility for equipment
repair or replacement.
IT GOVERNANCE X X X
Page 64 of 93
Approval Stamp.
Chairman:
Item Description
IT GOVERNANCE X X X
Page 65 of 93
Approval Stamp.
Chairman:
4.12 [ITD-PL-012] Third-Party Security Policy
To ensure that third parties adequately secure the information and technology resources that they access,
process, and manage. This includes information sharing, defining legal obligations, and ensuring non-
disclosure agreements are executed to protect confidential information.
To ensure that supplier agreements are established and documented so that there is no misunderstanding
regarding both parties' obligations to fulfill relevant security requirements.
This policy covers all ADWEAs Information resources and supporting systems, whether managed or hosted
internally or externally.
4.12.3 Background
External 3rd party suppliers are a vital component of business operations. Suppliers may have access to a
wide range of information from the supported organization. Once shared with a supplier, direct control of
this information is lost, regardless of sensitivity or value. As a result, appropriate technical and contractual
controls and mitigation processes must be established with all external suppliers.
When beginning the process of developing and establishing a 3rd party security policy/ program, the
following fundamentals must be considered and adhered to:
Identify and document various suppliers and the types of information that they access or
manipulate.
Identify current policies and standards that describe or include third party responsibilities and any
compliance requirements associated with external providers (e.g., HIPAA, PCI DSS, NESA, ISO
27000).
Review data classification standards and how these relate to the suppliers and information that
they handle. Where applicable it shall be ensured that information security and data protection
clauses are included in any supplier contracts.
Review or develop a supplier lifecycle process, including initial reviews, monitoring, validation,
and ongoing assessments.
IT GOVERNANCE X X X
Page 66 of 93
Approval Stamp.
Chairman:
4.12.5.1 Information Security Policy for Supplier Relationships

4.12.5.1.1 Organizations shall identify and require information security controls that specifically
address external parties (contractors, service providers) gaining authorized access to
the organization's information in a policy. The controls shall also specify processes and
procedures that shall be followed, either when third party contractors work within the
organization or when there are service provider/hosting arrangements.
4.12.5.1.2 Suppliers shall be managed throughout the lifecycle of a relationship with them--from
initially reviewing their contracts and security methods to monitoring their SLAs and
performance agreements once they are engaged to perform services and/or provide
solutions.
4.12.5.1.3 Access control, especially for sensitive information must be accurately defined,
managed and monitored. Awareness training for both the organization's staff and
supplier staff that handle or interact with this data must be addressed.
4.12.5.1.4 Service transitions shall be documented and include procedures for secure data
transfers and availability as the relationship changes during the lifecycle.
4.12.5.1.5 Many (but not all) supplier relationships might involve cloud computing services and
processes, which shall be carefully considered as a part of Supplier Relationship
Management.
4.12.5.1.6 At the present cloud based services are not acceptable to ADWEA. In the future as and
when the need for a cloud based services arises and is approved as a business
necessity by the top management then adequate cloud centric controls and policy
elements (based on NESA) need to be incorporated in the this document before
engaging in the implementation of any cloud centric services.
4.12.5.2 Addressing Security within Supplier Agreements

Supplier agreements shall be established and documented to ensure there is no misunderstanding regarding
both parties obligations to fulfill relevant security, legal, and/or regulatory requirements. While sensitive
data processes and services might be outsourced, responsibility for the associated risk remains with
ADWEA. Supplier agreements shall include (as appropriate) clear and concise information regarding:
IT GOVERNANCE X X X
Page 67 of 93
Approval Stamp.
Chairman:
4.12.5.2.1 The types of data being accessed and methods of access

4.12.5.2.2 Definitions of data ownership and disposition throughout service lifecycle
4.12.5.2.3 The organization's data classification requirements as it applies to the supplier
4.12.5.2.4 Definition of acceptable uses for the data handled by the supplier
4.12.5.2.5 Establishment of security incident notification requirements
4.12.5.2.6 Processes and procedures for monitoring compliance with the contract requirements
4.12.5.2.7 A "right to audit" the supplier or regular access to external assessments
4.12.5.2.8 Conflict and defect resolution
4.12.5.2.9 Required screening, training or other obligations of the suppliers' staff
4.12.5.2.10 The use of subcontractors to provide services and the extension of security
requirements to them
4.12.5.3 Information and Communication Technology Supply Chain
4.12.5.3.1 Agreements with suppliers shall include requirements to address the information
security risks associated with information and communications technology services and
product supply chains.
4.12.5.3.2 There shall be a process/procedure to identify a product or service that is linked with a
critical capability or service of ADWEA, and requires increased scrutiny. This is
especially true for components procured from suppliers but built outside the supplier
organization. The ability to trace origins and compliance with security requirements is
integral in ensuring both integrity and availability.
4.12.5.4 Supplier Service Delivery Management

Supplier agreements shall be established and documented to ensure there is no misunderstanding regarding
both parties' obligations to fulfill relevant security requirements.
IT GOVERNANCE X X X
Page 68 of 93
Approval Stamp.
Chairman:
4.12.5.4.1 Once operations of service providers have started, ADWEA shall ensure that the
services delivered conform to the specifications of third-party contracts. This can
include everything from availability levels of the service to something more granular,
such as examining the security controls the service provider agreed to in the contract.
If there is a great level of dependency upon third-party service providers, checking into
service capabilities, plans for handling information security incidents or service
disruptions, and business continuity testing may be warranted. Systematic monitoring
and reviews of services and controls is also recommended, including scrutinizing
service reports provided by the third-party to ensure the information is sufficient and
relevant. As business or information technology requirements are modified, this may
also require a change in the provision of third-party services, and procedures shall be
in place to handle any new requirements. Additionally, modifications may also call for a
review of existing information security controls to ensure they are adequate.
4.12.5.5 Monitoring and Reviewing Supplier Services
4.12.5.5.1 Organizations shall regularly monitor, review and audit supplier service delivery.
Organizations can not overlook the need to manage the risk to their information assets
that are accessed, processed, communicated to, or managed by external parties
(partners, vendors, contractors, etc.). The service provider shall be continuously
monitored to assure that services provided are meeting the terms of the contract and
security is maintained. There shall be ongoing review of service reports, a process to
address concerns and issues and periodic audits. This section also encompasses
documentation and procedures for handling security incidents, including incident
reporting, mitigation and subsequent reviews. Finally, service capability levels must be
monitored to insure that the service provider continues to meet the contract terms and
needs of the business. In addition to regular review and monitoring of the services
provided, the contracting organization shall:
Conduct audits of suppliers in conjunction with outside assessments
Require the supplier to promptly notify regarding security incidents
Provide regular audit trails and records for security events
Have a conflict resolution process that can be invoked if requirements are not
met
4.12.5.6 Consider the following as an outline for a contract monitoring process:

4.12.5.6.1 During System / Application / Process Implementation
Identify the individual(s) responsible for monitoring the relationship with the
supplier.
During project status meetings:
Assess and review status reports regarding progress made in the
implementation of the security requirements included in the contract
and/or statement of work.
Identify new areas or security requirements that may arise from
changes in scope
IT GOVERNANCE X X X
Page 69 of 93
Approval Stamp.
Chairman:
If applicable, perform or request audit of vendor security practices and

procedures and/or perform penetration test. It may be necessary to include a
legal review by general counsel, as well.
During final test and prior to sign-off
Test system/application/process security functionality required in the
contract
Review progress reports and determine if all security requirements
included in the contract and/or statement of work were completed.
If applicable, perform application scan
4.12.5.6.2 Post Implementation
Follow up with system/application/process owner.
Require owner to perform a risk assessment based on policy (annual if
high risk or mission critical and bi-annual for the rest)
Review with the owner the risk assessment results. Any concerns?
Any problems? Any unknowns that need to be addressed with the
vendor?
Follow up with the supplier. Access logs available? Any pending items
resolved? Are things on their end as expected? Any owner concerns? Risk
assessment identified deficiencies?
Based on risk (annually or bi-annually), resubmit third-party information
security risk assessment to assess what has changed, what needs closer
scrutiny, or identify inconsistencies with previous assessments
Establish a working relationship with your supplier
Participate in suppliers product improvement committee. What changes are
been considered? How would they impact the institution's risk and security
postures
Review security incidents involving the system/application/process. Are these
due to non-compliance?
If applicable, based on the contract, require subsequent assurance tests.
For current established suppliers, assess their risk (if it has not already been done), and start
with the steps listed in the Post Implementation section above as needed.
4.12.5.6.3 Managing Changes to Supplier Services

All technology systems are undergoing continuous upgrade, change and repair. Changes to service
provisions by suppliers shall be managed and documented, taking into account the sensitivity of information
and services and re-assessment of risks. The contracting organization shall determine how to integrate their
change management process with that of the supplier. Items to consider/ include:
IT GOVERNANCE X X X
Page 70 of 93
Approval Stamp.
Chairman:
o Service enhancements
o Bug fixes
o Use of new technology
o New development tools
o Enhanced security measures
o Change of subcontractor
o Change of physical sites
Where possible, supplier changes shall be integrated with the contracting organizations change
management processes.
As per the Roles and Responsibilities section mentioned at the end of the overall IS policy.
Item Description
IT GOVERNANCE X X X
Page 71 of 93
Approval Stamp.
Chairman:
4.13 [ITD-PL-013] Information Systems Acquisition, Development and Maintenance Policy
To ensure that security requirements are established as an integral part of the entire lifecycle of an
information system.
To ensure that development lifecycle processes are established to maintain the security of information
systems as the systems are designed, developed, tested, and maintained.
To ensure the protection of data used for testing.
This policy covers all ADWEAs Information resources and supporting systems, whether managed or hosted
internally or externally.
4.13.3 Background
Security risks and events occur throughout a systems lifetime. This is true whether the system is developed
internally or purchased for on premise hosting or cloud implementation. Security shall be embedded
throughout all phases of the system development life cycle, assessed during system acquisition processes,
and monitored during system maintenance, including disposal.
To be most effective, information security must be integrated into the system lifecycle from system inception
through system disposal. Regardless of the formal or informal lifecycle methodology employed, security can
be incorporated into information systems acquisition, development and maintenance by implementing
effective security practices in the following areas.
Security requirements for information systems
Security in development and support processes
Test data
4.13.5.1 Security requirements of information systems : The objective of this category is to ensure that
security is an integral part of the organization's information systems, and of the business
processes associated with those systems.
IT GOVERNANCE X X X
Page 72 of 93
Approval Stamp.
Chairman:
4.13.5.1.1 Security requirements analysis and specification

Statements of business requirements for new information systems, or enhancements to existing information
systems shall include specification of the requirements for security controls. The following points need to be
considered:
o consideration of business value of and legal-regulatory-certificatory standards for
information assets affected by the new/changed system(s);
o consideration of administrative, technical and physical controls available to support
security for the system(s);
o integration of these controls early in system design and requirements specification; and
o a formal plan for testing and acceptance, including independent evaluation where
appropriate.
4.13.5.2 Correct processing in applications: This category aims to prevent errors, loss, unauthorized
modification or misuse of information in applications.
4.13.5.2.1 Input data validation

Data input in applications shall be validated to ensure that the data is correct and appropriate. The following
points need to be considered:
o use of both automatic and manual methods of data verification and cross-checking, as
appropriate; and
o defined responsibilities and processes for responding to detected errors.
4.13.5.2.2 Control of internal processing

Validation checks shall be incorporated into applications to detect the corruption of information through
processing errors or deliberate acts. The following points need to be considered:
appropriate; and
4.13.5.2.3 Message integrity

Requirements for ensuring authenticity and protecting message integrity in applications shall be identified,
and appropriate controls identified and implemented.
4.13.5.2.4 Output data validation
Data output from applications shall be validated to ensure that the processing of stored information is correct
and appropriate to the circumstances. The following points need to be considered:
appropriate; and
IT GOVERNANCE X X X
Page 73 of 93
Approval Stamp.
Chairman:
4.13.5.3 Cryptographic controls: This category aims to protect the confidentiality, integrity and authenticity
of information by cryptographic means.
4.13.5.3.1 Policy on the use of cryptographic controls

Adequate policies and procedures on the use of cryptographic controls for protection of information shall be
developed and implemented. The following points need to be considered:
o statement of general principles and management approach to the use of cryptographic
controls;
o specifications based on a thorough risk assessment, that considers appropriate
algorithm selections, key management and other core features of cryptographic
implementations;
o consideration of legal restrictions on technology deployments;
o application, as appropriate, to data at rest and fixed-location devices, data transported
by mobile/removable media and embedded in mobile devices, and data transmitted
over communications links; and
o specification of roles and responsibilities for implementation of and the monitoring of
compliance with the policy
4.13.5.3.2 Key management
Key management policies and processes shall be implemented to support an organization's use of
cryptographic techniques. The following points need to be considered and supported by relevant procedures:
o distributing, storing, archiving and changing/updating keys;
o recovering, revoking/destroying and dealing with compromised keys; and
o logging all transactions associated with keys.
4.13.5.4 Security of system files :This category aims to ensure the security of critical system files.
4.13.5.4.1 Control of operational software

Procedures shall be implemented to control the installation of software on operational systems, to minimize
the risk of interruptions in or corruption of information services. The following points need to be considered:
o updating performed only with appropriate management authorization;
o updating performed only by appropriately trained personnel;
o only appropriately tested and certified software deployed to operational systems;
IT GOVERNANCE X X X
Page 74 of 93
Approval Stamp.
Chairman:
o appropriate change management and configuration control processes for all stages of
updating;
o appropriate documentation of the nature of the change and the processes used to
implement it;
o a rollback strategy in place, including retention of prior versions as a contingency
measure; and
o appropriate audit logs maintained to track changes.
4.13.5.4.2 Protection of system test data

Test data shall be selected carefully and appropriately logged, protected and controlled.
4.13.5.4.3 Access control for program source code
Access to program source code shall\ be restricted. The following points need to be considered:
o appropriate physical and technical safeguards for program source libraries,
documentation, designs, specifications, verification and validation plans; and
o maintenance and copying of these materials subject to strict change management and
other controls.
4.13.5.5 Security in development and support processes: This category aims to maintain the security of
application system software and information.
4.13.5.5.1 Change control procedures

The implementation of changes shall be controlled by the use of formal change control procedures. The
o a formal process of documentation, specification, testing, quality control and managed
implementation;
o a risk assessment, analysis of actual and potential impacts of changes, and
specification of any security controls required;
o a budgetary or other financial analysis to assess adequacy of resources;
o formal agreement to and approval of changes by appropriate management; and
o appropriate notification of all affected parties prior to implementation, on the nature,
timing and likely impacts of the changes;
o scheduling of changes to minimize the adverse impact on business processes.
4.13.5.5.2 Technical review of applications after operating system changes

When operating systems and processes are changed, critical business processes shall be reviewed and tested
to ensure that there has been no adverse impact.
IT GOVERNANCE X X X
Page 75 of 93
Approval Stamp.
Chairman:
4.13.5.5.3 Restrictions on changes to software packages

Modifications to software packages shall be discouraged, limited to necessary changes, and all changes shall
be strictly controlled.
4.13.5.5.4 Information leakage
Opportunities for information leakage shall be appropriately minimized or prevented. The following points
o risk assessment of the probable and possible mechanisms for information leakage, and
consideration of appropriate countermeasures;
o regular monitoring of likely information leak mechanisms and sources; and
o end-user awareness and training on preventive strategies (e.g., to remove meta-data in
transferred files).
4.13.5.5.5 Outsourced software development
Outsourced software development shall be appropriately supervised and monitored by the organization.
4.13.5.6 Technical vulnerability management : This category aims to reduce risks resulting from
exploitation of published technical vulnerabilities.
4.13.5.6.1 Control of technical vulnerabilities

Timely information about technical vulnerabilities of information systems used by the organization shall be
obtained, evaluated in terms of organizational exposure and risk, and appropriate countermeasures taken.
o a complete inventory of information assets sufficient to identify systems put at risk by
a particular technical vulnerability;
o procedures to allow timely response to identification of technical vulnerabilities that
present a risk to any of the organization's information assets, including a timeline
based on the level of risk;
o defined roles and responsibilities for implementation of countermeasures and other
mitigation procedures.
IT GOVERNANCE X X X
Page 76 of 93
Approval Stamp.
Chairman:
Item Description
IT GOVERNANCE X X X
Page 77 of 93
Approval Stamp.
Chairman:
4.14 [ITD-PL-014] Information Security Incident Management Policy
To ensure a consistent and effective approach to the management of information security incidents, including
communication on security events and weaknesses.
Ensure personnel are trained and equipped to detect, report, and respond to adverse events, providing the
foundation for effective Information Security Incident Management.
Build an effective, timely, repeatable methodology for managing information security incidents that meets
legal requirements and is continually improved.
To ensure that the Information security incident response is integrated with the overall risk management
process to provide the capability to update the risk management portfolio.
This policy covers ADWEAs Information security related incident management and supporting systems and
processes whether managed or hosted internally or externally.
4.14.3 Background
No matter the extent of our defenses, it inevitable that Information Security Incidents will occur. For this
reason, establishing, periodically assessing, and continually improving incident management processes and
capabilities is very important.
These are some of the fundamental elements of any Incident management program which can act as our
guidelines for developing an appropriate IS incident management policy and process. They are listed below.
Define what constitutes an information security incident and review how varied incidents can be
classified.
Consider what constitutes an information security incident that requires special handling (vs.
common security events). Review incident classification schemes that allow for aligning
handling procedures to potential impacts and risks.
Identify and establish essential roles and procedures needed for effective incident management.
Evaluate the technical and operational capabilities of your organization to detect and respond to
security incidents. Consider how senior management support can be gained to formalize effective
incident management processes. Formulate procedures and workflow for effectively addressing
incidents throughout their lifecycle.
IT GOVERNANCE X X X
Page 78 of 93
Approval Stamp.
Chairman:
Create effective communication, coordination, and reporting plans for broad spectrum of
incidents including data breach events.
Identify key partners and stakeholders and levels of communication and engagement. Review the
legal and contractual communication requirements associated with data types that may be
involved in Information Security Incidents.
Adapt and learn from security incidents and strive for continual improvement by identifying
and planning for training needs and enhancement of response capabilities.
4.14.5.1 Reporting information security events and weaknesses : This category aims to ensure
information security events and weaknesses associated with the organization's information and
information system assets are communicated in a manner to allow appropriate corrective actions
to be taken.
4.14.5.1.1 Reporting information security events

Information security events shall be reported through appropriate management channels as quickly as
possible. The following points need to be considered:
o establishment of formal event reporting process(es) and procedure(s), setting out
actions to be taken and points of contact;
o awareness on the part of all employees, contractors and third-party users of the event-
reporting process(es), including the requirement to report security events and
weaknesses;
o awareness of the requirement to report as quickly as possible, with sufficient detail to
allow a timely response;
o awareness of the prohibition on adverse action for reports made in good faith;
o suitable feedback processes to ensure that those reporting events are appropriately
notified of results.
4.14.5.1.2 Reporting security weaknesses
All employees, contractors and third party users shall be required to note and report any observed or
suspected security weaknesses in systems or services as soon as possible. The following points need to be
considered:
o easy, accessible channels for reporting, the availability of which is clearly
communicated to employees, contractors and third parties;
o reasonable awareness on the part of employees, contractors and third parties of
common signs and symptoms of security events;
IT GOVERNANCE X X X
Page 79 of 93
Approval Stamp.
Chairman:
o reporting requirement extends to malfunctions or other anomalous events that might

indicate a security weakness;
o awareness on the part of employees, contractors and third parties that they shall report,
but not attempt to test, a suspected security vulnerability unless they have appropriate
technical skills and an immediate response is required, since this might be interpreted
as a potential misuse.
4.14.5.2 Management of information security incidents and improvements :This category aims to ensure a
consistent and effective approach is applied to the management of information security events
and incidents.
4.14.5.2.1 Responsibilities and procedures

Management responsibilities and procedures shall be established to ensure a quick, effective and orderly
response to information security incidents. The following points need to be considered:
o processes to ensure routine use of data from the ongoing monitoring of systems to
detect events and incidents;
o procedures specifically designed to respond to different types and severities of
incident, including appropriate analysis and identification of causes, containment,
communication with those actually or potentially affected by the incident, reporting of
the incident to appropriate authorities, planning and implementation of corrective
action to prevent reoccurrence as appropriate;
o collection and use of audit trails and similar evidence as part of the incident
management and investigation process, and appropriate management of this evidence
for use in subsequent legal or disciplinary proceedings;
o formal controls for recovery and remediation, including appropriate documentation of
actions taken.
4.14.5.2.2 Learning from information security incidents

There shall be mechanisms in place to enable the types, volumes and costs of information security incidents
to be quantified and monitored. The following points need to be considered:
o routine sharing of data on information security incidents among the parties responsible
for receiving reports and managing investigations;
o periodic reports summarizing the data derived from this sharing.
4.14.5.2.3 Investigation of incidents
Where disciplinary or legal action may be part of the follow-up to an information security incident, any
investigation shall be initiated in a manner that follows documented procedures and conforms to accepted
practices. The following points need to be considered:
IT GOVERNANCE X X X
Page 80 of 93
Approval Stamp.
Chairman:
o specifying what persons or classes of person may request an investigation, and on

what basis;
o specifying what persons or classes of person may initiate an investigation process,
including collection of evidence;
o specifying the necessary documentation to initiate an investigation, and the
documentation required as the investigation proceeds;
o procedures for securing and maintaining the integrity of investigatory records; and
o observing appropriate procedures to assure "chain of custody" for any information
collected.
4.14.5.2.4 Collection of evidence
Where an investigation has been initiated as part of possible disciplinary or legal action, evidence shall be
collected, retained and presented in a manner that follows documented procedures and conforms to accepted
practices. The following points need to be considered:
o specifying who may initiate an investigation, and on what basis;
o specifying the necessary documentation to initiate an investigation, and the
documentation required as the investigation proceeds;
o securing and maintaining the integrity of copies of paper records, including "originals"
if such exist;
o securing and maintaining the integrity of copies of electronic records or other data on
computer media relevant to the incident; and
o observing appropriate procedures to assure "chain of custody" for any information
collected.
Item Description
IT GOVERNANCE X X X
Page 81 of 93
Approval Stamp.
Chairman:
4.15 [ITD-PL-015] Information Systems Continuity Planning Policy
Information system continuity planning provides a managed, organized method for the deployment of
resources and procedures to assure the continuity of critical IS dependent business operations under
extraordinary circumstances, including the maintenance of measures to assure the privacy and security of its
information resources. The key objective/ goal is to ensure timely resumption from, and if possible
prevention of, interruptions to business activities and processes caused by failures of information systems.
The IS continuity policy covers all of ADWEAs Information resources and supporting people, processes
and systems , whether managed or hosted internally or externally.
4.15.3 Background
Organizations are vulnerable to a variety of natural and man-made emergencies, disasters, and hazards.
Recognizing that not all events can be prevented and some risks may be deemed acceptable, proper planning
is essential to maintain or restore services when an unexpected or unavoidable event disrupts normal
operations.
These are some of the fundamental elements of any Critical functions continuity program which can act as
our guidelines for developing an appropriate Information Systems Continuity related policy and process.
They are listed below.
Obtain commitment and authority from organizational Leadership. High level support is essential
for building the cross functional teams that are needed to prepare and deploy the plan.
Establish a planning team for each business unit.
Perform a risk assessment in each unit.
Identify critical resources:
o People Identify all support staff, and establish a chain of succession for key personnel.
o Places Identify key buildings, and plan alternate locations for workers and equipment.
o Systems Perform a business impact analysis to prioritize systems in terms of criticality.
o Other Identify other critical assets required for normal business operations.
Determine continuity and recovery strategies within each unit.
Train students, faculty, and staff on what to do in case of a disaster.
Test, test, test! Test system recovery procedures. Generate scenarios and simulate them with table
top exercises.
Create a communication plan.
IT GOVERNANCE X X X
Page 82 of 93
Approval Stamp.
Chairman:
Review the business continuity plan annually.
4.15.5.1 Information security aspects of business continuity management : This category's objective is to
ensure timely resumption from, and if possible prevention of, interruptions to business activities
and processes caused by failures of information systems.
4.15.5.1.1 Including information security in the business continuity management process

A managed process shall be developed and maintained for business continuity throughout the organization,
that includes information security requirements needed for the organization's business continuity. The
o identification of information assets involved in critical business processes;
o a risk assessment that addresses likely causes and consequences of information system
failures;
o identification and consideration of preventive and mitigating controls in light of these
risks;
o identification of sufficient financial, technical and human resources to address the
preventive/mitigating control requirements;
o development and documentation of business continuity plans and processes, including
assignment of responsibilities and incorporation into the organization's general
processes and structure; and
o regular testing and updating of business continuity plans and processes.
4.15.5.1.2 Business continuity and risk assessment
Events that can cause interruptions to business processes shall be identified, along with the probability and
impact of such interruptions and their consequences for information security. The following points need to
be considered:
o identification of all significant risk/risk categories, including the probability and
probable impact on operations in terms of scale, likely damage and recovery period;
o full involvement of owners of significant organizational assets in the assessment
process;
o identification of acceptable and unacceptable losses and interruptions; and
o formal documentation of the assessment's results, and a plan for regular updating to
ensure completeness and currency (see next).
IT GOVERNANCE X X X
Page 83 of 93
Approval Stamp.
Chairman:
4.15.5.1.3 Developing and implementing continuity plans including information security

Information systems continuity plans shall be developed and implemented to maintain or restore operations
and ensure availability of information at the required level and in the required time, following interruptions
to or failures of business processes. The following points need to be considered:
o identification of and agreement on all responsibilities and operational procedures;
o specification of the disaster recovery/business continuity procedures to effect recovery
and restoration of business processes;
o a data backup plan to ensure recovery of all data following process restoration,
including the ability to replicate exact copies of data in its state prior to disruption of
operations;
o specification of alternative operational procedures to follow pending completion of
recovery and restoration, including methods for accessing all critical data;
o documentation of the above plan elements;
o appropriate education and awareness efforts for staff on the plan elements;
o testing and updating of the plan.
4.15.5.1.4 Business continuity planning framework

A single framework of business continuity plans shall be maintained to ensure that all plans are consistent,
consistently assess information security requirements, and to identify priorities for testing and maintenance.
o specification of conditions and criteria for activating the plan; and
o formal assignment of responsibilities for making assessments about plan activation,
choices among emergency procedures and processes, resumption procedures, etc.
4.15.5.1.5 Testing, maintaining and re-assessing business continuity plans
Business continuity plans shall be tested and updated regularly to ensure that they are up to date and
effective. The following points need to be considered:
o testing that assures that all persons with significant responsibilities under the plan(s)
are aware of and competent to perform them;
o a range and frequency of testing exercises, from table-top to complete rehearsals,
performed as necessary to ensure awareness and competence; and
o regular reviews and updating of the plan(s) considering testing results.
IT GOVERNANCE X X X
Page 84 of 93
Approval Stamp.
Chairman:
Item Description
IT GOVERNANCE X X X
Page 85 of 93
Approval Stamp.
Chairman:
5 ROLES AND RESPONSIBILITIES
Role Description
Personnel All ADWEAs personnel (employees and contractors) are

responsible for complying with this policy.
CISO (Chief The CISO has the overall responsibility of the enterprise
Information Security information security program.
Officer) Depending on a variety factors within the enterprise, the
CISO may report to the CEO, COO, CIO, CRO or other
senior executive management.
The CISO is the liaison between executive management and
the information security program. The CISO shall also
communicate and co-ordinate closely with key business
stakeholders to address information protection needs.
The CISO must:
Have an accurate understanding of the business strategic
vision
Be an effective communicator
Be adept at building effective relationships with business
leaders
Be able to translate business objectives into information
security requirements
The CISO is responsible for:
Establishing and maintaining an information security
management system (ISMS)
Defining and managing an information security risk
treatment plan
Monitoring and reviewing the ISMS
Information (IT) It is to ensure good practices related to information security

Security Steering is applied effectively and consistently throughout the
IT GOVERNANCE X X X
Page 86 of 93
Approval Stamp.
Chairman:
Committee enterprise. The composition is typically of:

CISO
ISSC chair and liaison to ERM committee
Responsible for overall enterprise information security
ISM
Communication of design, implementation and monitoring
of practices.
When applicable, the ISM discusses design solutions
beforehand with the information security architects to
mitigate identified information risk.
Information custodians/ business owners
In charge of certain processes or business applications
Responsible for communicating business initiatives that
may impact information security and information security
practices that may impact the user community
May understand business/operational risk, costs and
benefits, and specific information security
requirements for his/her business area
IT manager
Reports on the status of IT-related information security
initiatives
Representatives of specialist functions
Bring specialist input to the table when relevant, for
example, from representatives of internal audit, HR, legal,
risk, project management office (PMO).
These functions can be asked to join the ISSC on occasion
or as permanent members. It may be worthwhile to have
representatives of internal audit as permanent members to
advise the committee on compliance risk
Information The Information Security Manager has the overall
IT GOVERNANCE X X X
Page 87 of 93
Approval Stamp.
Chairman:
Security Manager responsibility for the management of information security

efforts. He is typically responsible for the following:
Develop and communicate a common vision for the
information security team that is in line with the corporate
vision statement.
Manage allocation of information security staff per
business requirements.
Conduct information risk assessments and define the
information risk profile.
Manage roles, responsibilities, access privileges and levels
of authority.
Develop an information security plan that identifies the
information security environment and controls to be
implemented by the project team to protect organizational
assets. Monitor these internal controls and adjust/improve
when required.
Identify and communicate information security pain
points, desirable behaviors and changes needed to address
these points.
Provide ways to improve efficiency and effectiveness of the
information security function (e.g., through training of
information security staff, documentation of processes,
technology and applications and standardization and
automation of the process).
Collect and analyze performance and compliance data
relating to information security and information risk
management.
Ensure that environmental and facilities management
adheres to information security requirements.
Enterprise Risk The ERM committee is responsible for the enterprises

Management decision making relative to assessing, controlling,
Committee (ERM) optimizing, financing and monitoring risk from all sources
IT GOVERNANCE X X X
Page 88 of 93
Approval Stamp.
Chairman:
for increasing the enterprises short- and long-term value to

its stakeholders. The composition is typically of:
CISO
In the optimal scenario, the CISO is a member of the ERM
committee, to provide the committee with advice on specific
information risk.
CEO, COO, CFO etc
Representative of senior executive management
Core process business owners
In charge of certain processes or business applications
Responsible for communicating business initiatives that
may impact information security and information security
practices that may impact the user community
May understand business/operational risk, costs and
benefits, and specific information security
requirements for his/her business area
Audit/compliance
Provide specialist input when relevant. Can be asked to
join the ERM committee on occasion or as permanent
members. For example, it might be worthwhile to have
representatives of internal audit as permanent members to
advise the committee on compliance risk.
Legal Representatives
Provide legal input. Can be asked to join the ERM
committee on occasion or as a permanent member.
CRO
Provide specialist input when relevant. Can be asked to
join the ERM committee on occasion or as a
permanent member.
Information Information custodians or business owners act as the liaison
IT GOVERNANCE X X X
Page 89 of 93
Approval Stamp.
Chairman:
Custodians/Business between the business and information security functions.

Process Owners They can be associated with types of information, specific
applications, or business units in an enterprise. The person
in this role shall possess a good understanding of the
business and the types of information processed and
requiring protection. They
serve as trusted advisors and monitoring agents regarding
information within the business.
This role shall balance business and information risk so that
the business does not always trump information security
decisions.
Managers Managers are directly responsible for supporting the

Information Security Policy and ensuring staff compliance
in their respective departments
Policy Owner The Policy Owner is responsible for providing support and
advice about this policy.
IT GOVERNANCE X X X
Page 90 of 93
Approval Stamp.
Chairman:
6 EXCEPTIONS AND CONDITIONS
6.1 All the defined security policies are applicable for the new IT systems with no
exception. However, where the above security measures cannot be implemented in
existing Control systems due to older technology or system limitations, the policy
recommends to enforce the measures to an extent of acceptable limit without
affecting the performance, integrity & availability of the IT systems.
6.2 Temporary override of security controls such as Application Whitelisting, DLP, HIPS,
etc. may be allowed for legitimate job requirements by authorized personnel with
approval.
6.3 Security updates / solutions including new Virus definitions, Operating system patch
etc. shall be qualified / approved by the respective IT system Vendors. The IT system
Vendor is accountable for any performance / availability issues arising on IT systems
from the Security solutions provided or approved by the Vendor.
IT GOVERNANCE X X X
Page 91 of 93
Approval Stamp.
Chairman:
7 REFERENCES
Item Description
IT GOVERNANCE X X X
Page 92 of 93
Approval Stamp.
Chairman:
8 APPENDICES
8.1 Definitions
Acronym
Glossary Definition
(if any)
Information Security InfoSec Preservation of the availability, integrity, and confidentiality of

information
Availability A Property of being accessible and usable upon demand by an

authorized entity
Integrity I Property of protecting the accuracy and completeness of asset
Confidentiality C Property that information is not made available or disclosed to

unauthorized individuals, entities, or processes
Policy Overall intention and direction as formally expressed by

management
Process Set of interrelated or interacting activities which transforms inputs

into outputs
Procedure Specified way to carry out an activity or process
Exception Any deviation from security policies and standards
Process Owner Person or role who has ultimate responsibility for the performance
of a process
Standard Technical specification contained in a document consisting of

definitions, limits, or rules which have been approved
and are monitored for compliance
System A combination of related parts organized into a complex whole; a

method or set of procedures for achieving something,
including both services and processes
Control means of managing risk, including policies, procedures, guidelines,

practices or organizational structures, which can be of
administrative, technical, management, or legal nature
IT GOVERNANCE X X X
Page 93 of 93
Approval Stamp.
Chairman:
Acronym
Glossary Definition
(if any)
Risk management set of components that provide the foundations and organizational
framework arrangements for designing, implementing, monitoring,
reviewing and continually improving risk management
throughout the organization
Risk management policy statement of the overall intentions and direction of an organization
related to risk management
Risk owner person or entity with the accountability and authority to manage a
risk
Stakeholder person or organization that can affect, be affected by, or perceive

themselves to be affected by a decision or activity
Level of risk magnitude of a risk or combination of risks, expressed in terms of

the combination of consequences and their likelihood
Risk evaluation process of comparing the results of risk analysis with risk criteria
to determine whether the risk and/or its magnitude is
acceptable or tolerable
Residual risk risk remaining after risk treatment
Level of risk: magnitude of a risk or combination of risks, expressed in terms of

the combination of consequences and their likelihood
Risk evaluation: process of comparing the results of risk analysis with risk criteria to
determine whether the risk and/or its magnitude is
acceptable or tolerable
Residual risk: risk remaining after risk treatment

Adwea Ims It MGMT PLC v1.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Adwea Ims It MGMT PLC v1.0

Uploaded by

Copyright:

Available Formats

Effective Date: Xst of Xxx 20XX

Volume Chapter Version

CYBER SECURITY POLICY

DESCRIPTION TITLE SIGNATURE

Prepared By Job Title/or Section/or Department

Reviewed By IMS Representative

Reviewed By Technology Advisor

Planning & Development

Endorsed By Director General

CHANGES HISTORY SHEET

DOC. PAGE NEW ISSUE DOC. CHANGE

2 EXECUTIVE SUMMARY ................................................................................................................................................ 9

3 GENERAL APPLICABILITY ............................................................................................................................................. 9

4 IT POLICY ELEMENTS ................................................................................................................................................. 10

4.1.1 Policy summary / Goals 10

4.1.2 Applicability / Scope 10

4.1.4 Guiding principle 10

4.1.5 Detailed policy requirements 11

4.1.6 Responsibilities and accountabilities 13

4.1.7 Any References 14

4.2.1 Policy summary / Goals 15

4.2.2 Applicability / Scope 15

4.2.4 Guiding principle 15

4.2.5 Detailed policy requirements 16

4.2.6 Responsibilities and accountabilities 18

4.2.7 Any References 19

4.3.1 Policy summary 20

4.3.4 Guiding principle 20

4.3.5 Detailed policy requirements 21

4.3.6 Responsibilities and accountabilities 21

4.3.7 Any References 22

4.4.1 Policy summary / Goals 23

4.4.2 Applicability / Scope 23

4.4.4 Guiding principle 23

4.4.5 Detailed policy requirements 24

4.4.6 Responsibilities and accountabilities 25

4.4.7 Any References 25

4.5.1 Policy summary / Goals 26

4.5.2 Applicability / Scope 26

4.5.4 Guiding principle 26

4.5.5 Detailed policy requirements 27

4.5.6 Responsibilities and accountabilities 27

4.5.7 Any References 28

4.6.1 Policy summary / Goals 29

4.6.2 Applicability / Scope 29

4.6.4 Guiding principle 29

4.6.5 Detailed policy requirements 30

4.6.6 Responsibilities and accountabilities 30

4.6.7 Any References 30

4.7.1 Policy summary / Goals 31

4.7.2 Applicability / Scope 31

4.7.4 Guiding principle 31

4.7.5 Detailed policy requirements 32

4.7.6 Responsibilities and accountabilities 34

4.7.7 Any References 35

4.8.1 Policy summary / Goals 36

4.8.2 Applicability / Scope 36

4.8.4 Guiding principle 36

4.8.5 Detailed policy requirements 37

4.8.6 Responsibilities and accountabilities 41

4.8.7 Any References 41

4.9.1 Policy summary / Goals 42

4.9.2 Applicability / Scope 42