The purpose of this document is to ensure that appropriate measures are put in place to protect corporate information and the information systems, services and equipment owned or used by Utopian Designs.
The following sections from the Security Policy, which apply to web development are quoted as below.
- Relevant Users
- Access Control
- Systems Development and Maintenance
- Business Continuity Management
- Compliance
- E-mail and Internet Use (see Policy on the use of the Internet).
- Contract / temporary access
1. RELEVANT USERS
1.1. Utopian Designs Security Policy is relevant to all categories of users of Utopian Designs equipment or systems, which includes staff, members, partners, and the public. Individual policy statements will identify any exemptions or exclusions, and some policies may relate specifically to one category.
2. ACCESS CONTROL
2.1. Access to all Utopian Designs networked or computer services, and intelligent network devices, must be via a secure log-on process designed to minimize the opportunity for unauthorized access.
2.2. Each user of a computer system must be uniquely identified to the system. Where passwords are used they will be managed in a secure manner to ensure their confidentiality and integrity.
2.3. Computer applications which are essential to Utopian Designs, contain information important to the provision of Utopian Designs services, and/or contain data registered under the Data Protection Act, must require a user to enter a unique identifier and password before access to the application is provided. This identifier must determine the individual access rights afforded to the user.
2.4. Access to computer systems and data must be appropriately secured when left unattended.
2.5. All system use must be monitored to ensure conformance with the policy.
2.6. Each computer application must have a nominated system owner, who must be responsible for the system performance, integrity, and access control.
2.7. Data owners must be identified who must assume the role of controller over that data. Only upon authorization from the data owner may such data be provided, deleted and/or amended.
2.8. Access to Utopian Designs data other than that identified as publicly accessible can be provided to third parties only with evidenced agreement of an authorized officer, and only through an agreed route. The rights and obligations of the third party must be clearly evidenced.
2.9. Formal agreements must be established and evidenced between Utopian Designs and external establishments for the exchange of critical or sensitive data.
2.10. All off-line storage media must be secured against unauthorized access.
2.11. Where passwords are used to protect data files (e.g. WP, website, etc) or local databases the user is obliged to securely record the password and lodge it under management control to facilitate the recovery of the data.
2.12. Homeworkers must ensure that the data and systems under their control within their home environment are adequately secured against misuse, loss, theft, and/or damage.
3. SYSTEMS DEVELOPMENT AND MAINTENANCE
3.1. All systems which are being procured or developed must conform with the ICT Security Policies and any other relevant Utopian Designs policies.
3.2. All computer applications and/or data must be assessed to determine the level of data integrity required, and appropriate system based validation must be applied to the data during input, amendment and deletion.
3.3. Prior to live implementation all computer applications must be tested and proved to user satisfaction that the system must: function correctly in respect of business specification, co-exist where necessary with other applications, have appropriate security controls.
4. BUSINESS CONTINUITY MANAGEMENT (BCM)
Management’s capability to identify potential impacts that threaten an organization and to provide a framework for building resilience and an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.
4.1. All systems must be regularly assessed for their resilience to continue to provide an agreed level of service.
4.2. All business systems and processes must be appropriately and regularly assessed for risks of failure. Adequate documented contingency plans must be developed, regularly tested, and reviewed.
4.3. Appropriate system and data backup must be undertaken, securely stored, and periodically tested, to ensure minimum disruption to business processing in the event of an incident requiring systems and or data to be restored to a position prior to the incident.
5. COMPLIANCE
5.1. All users of Utopian Designs equipment are required to comply with all relevant legal statutes and licensing agreements.
5.2. All systems are the property and responsibility of Utopian Designs. While users are permitted limited personal use of Email, Internet, Word Processing, Spreadsheets, no document or file can be assumed by a user to be private and any such file which the user requires to remain as private should not be held on Utopian Designs.
5.3. Utopian Designs retains the right to access and review any document or file stored on Utopian Designs equipment and must do so to ensure that no policy, agreement, or legal statute is contravened.
6. E-MAIL AND INTERNET USE
6.1. Only authorized users shall have legitimate access to the authorized e-mail facilities provided by Utopian Designs. Limited personal use shall be permitted but all use must be in accordance with the Personnel Code of Conduct and within the bounds of public decency.
6.2. Users provided access to the Internet shall use it for appropriate business related purposes, and not in excess of legitimate requirements. Limited personal use must be permitted, but all use must be in accordance with the Personnel Code of Conduct and within the bounds of public decency.
6.3. Utopian Designs encourages staff, customers and associates to use the internet in order to further the strategic and operational objectives of their business or administrative duties. Utopian Designs encourages the use of the Internet to share information, to improve communication and to exchange ideas.
6.4. Inappropriate usage of Internet facilities includes, but is not restricted to, accessing or posting of discriminatory, defamatory, offensive material or materials that may create or promulgate a negative impression of Utopian Designs or its clients.
7. CONTRACT / TEMPORARY ACCESS
7.1. Where temporary access is required for a specific purpose such as, but not restricted to, contract workers and ‘test’ accounts, a user expiry date based on the completion date of the required tasks must be used to ensure the temporary account is not accessible after that date.
7.2.In the case of ongoing maintenance and support from 3rd party companies, access must only be granted to the relevant facilities within the system and be restricted to only the systems for which they provide support.