雅典奥运会信息安全战略.docx

雅典奥运会信息安全战略.docx

《雅典奥运会信息安全战略.docx》由会员分享，可在线阅读，更多相关《雅典奥运会信息安全战略.docx（23页珍藏版）》请在冰豆网上搜索。

雅典奥运会信息安全战略

INFORMATIONSECURITYPOLICY

Summary:

ThisdocumentoutlinestheInformationSecurityPolicyandmajorguidelinesthatwillprotecttheATHOCinformationassetsandassurebusinesscontinuityandminimizationofdamages.

Originator:

M.Zervos

SectionManager,Quality&InformationSecurity

Approvedby:

S.Kougioumtzoglou

Manager,InformationTechnology

Approvedby:

D.Beis

GeneralManager,Technology

Approvedby:

I.Spanoudakis

ManagingDirector

ProgramRef:

ITE（InformationTechnology）DocumentStatus

DRAFT

APPROVED

Χ

DocumentType

POLICY

Χ

PROCEDURE/WORKINSTRUCTION

SPECIFICATION

FileReference

H:

\public\dept\IT\Quality\Procedures\Implemented\Technology\ITE_P002_i1

Division:

Technology/Department:

InformationTechnology

ChangeHistory

Issue

Date

Originator

Comments

1a

19/06/2001

M.Zervos

Issuedforcomments

1b

10/07/2001

M.Zervos

Issuedforcomments

1

14/03/2002

M.Zervos

IssuedforFinalApproval&Implementation

TableofContents

1.SecurityPolicy,Scope,Objectives,Organization&Compliance3

1.1Introduction3

1.2Scope3

1.3Purpose3

1.4Compliance3

1.5SecurityOrganization4

1.6AssociatedProcedures&Documents4

1.7GlossaryofTerms&Definitions5

2.AssetsClassification&Control6

2.1AccountabilityforAssets6

2.2InformationClassification6

3.InformationSecuritypoliciesforPersonnel7

3.1SecurityinJobDefinition&Resourcing7

3.2UserTraining7

3.3ReportingofIncidents7

3.4ExternalVisitors7

4.Physical&EnvironmentalSecurity7

4.1SecureAreas8

4.2EquipmentSecurity8

5.ComputerandNetworkOperation&Management8

5.1OperationalProcedures&Responsibilities8

5.2SystemPlanning&Acceptance9

5.3Software&InformationProtection9

5.4MediaHandling&Security9

5.5MaintainingIntegrity&Availability9

5.6ProtectingNetworkServices9

5.7DataExchange10

6.SystemAccessControl10

6.1ApplicationAccessControl10

6.2ComputerAccessControl10

7.SystemDevelopment&Maintenance11

7.1SecurityRequirementsofSystems11

7.2SecurityinInformationSystems11

7.3SecurityofInformationSystemFiles11

7.4SecurityinDevelopment&SupportEnvironments11

8.PersonalComputers&InformationSecurity11

9.RiskManagement12

10.BusinessContinuityPlanning,Recovery12

11.Compliance12

11.1Useofsoftware12

11.2Safeguardingoforganizationalrecords12

11.3DataProtection13

11.4PreventionofmisuseofITFacilities13

11.5CompliancewithSecurityPolicy13

1.

SecurityPolicy,Scope,Objectives,Organization&Compliance

1.1Introduction

ATHOCinformationandsupportingsystems,processes,etc.nomatteroftheirform,constitutekeybusinessasset.Theinformationavailability,integrityandconfidentialityisessentialtomaintainourlegalcompliance,respectedorganizationimageandsuccessfulexecutionoftheAthens2004OlympicandParalympicGames.Itisthereforenecessarytoprotecttheseassetsfromthreatsthatmayoccurfromavarietyofsources（computer-basedfraud,espionage,virusesorhackers,naturaldisastersetc.）.ThedefinitionandimplementationofATHOC’sInformationSecurityPolicyistheITdepartment’sresponsibility.

ATHOC’sbusinessnatureissuchthatitholdsalotofinformationaboutitsemployees,volunteers,athletes,etc.Thisinformationissubjecttovariouspiecesoflegislationandthereforehastobekeptsecure.

Theuninterruptibleoperationofthebusinessnecessitatestheinteractionofboth,ITandtelecommunicationnetworksatmanydifferentlevels.

AstimefortheexecutionoftheOlympicGamesapproaches,thePolicyandsupportingproceduresmayneedtobeupdatedandamendedtoreflectanychangesinrequirementsandconstraints.

1.2Scope

Informationsecurityisrelevanttoalltypesofinformationandsystemsthatstore,processortransferit,fromsimplepaperbasedfilingandindexingsystemstospecializedpurposebuiltsystemssuchasITequipment.Thispolicyappliestoallsystemsinalldepartments.Nevertheless,securitypracticesshallbetailoredaccordingtospecificneeds,threats,risksandinformationtypesandsystems.

1.3Purpose

Thepurposeofinformationsecurityistoensurebusinesscontinuityandminimizebusinessdamagebypreventingandminimizingtheimpactofsecurityincidents.Informationsecuritymanagementenablesinformationtobeshared,whileensuringtheprotectionofinformationandcomputingassets.Theprotectionlevelforeachassetoritemshallbedeterminedaccordingtothefollowingfourbasicparameters:

∙Confidentiality

∙Integrity

∙Availability

∙Accountability

ItisalsothepurposeofthisPolicytomakepeopleawareofthesecurityissuesandtheirresultingindividualresponsibilities.Itiseachindividual’sresponsibilityanddutytostrictlymaintainthisPolicyandpromotesecuritypracticesandawareness.Theaimofsecurityawarenessistoexplainandincrease:

∙Securityobjectives,strategiesandpolicies

∙Theneedforsecurityandassociatedrolesandresponsibilities

∙Theindividual’sroleinthesecurityenvironment

Staffshouldbemadeawareoftheirobligationsunderthetermsofprevailingcomputerorinformation-relatedlegislation.

1.4Compliance

AllemployeesmustcomplywiththerequirementsofthisPolicy.Alldepartmentsandstaffarealsorequiredtocomplywithrelevantstatuaryandcontractualrequirementswhetherornotdirectlyreferencedinthisdocument.

1.5SecurityOrganization

1.5.1InformationSecurityManagementForumandCoordinationTeam

InformationSecurityisabusinessresponsibilitysharedbyallmembersofATHOC’sManagement.Theresponsibilitiesofthistoplevelmanagementforum,leadbyanExecutiveDirectorand/oraGeneralManager,include:

a.Provisionofacleardirectionandvisiblemanagementsupportandcommitmentforinformationsecurity

b.Reviewandapprovalofinformationsecuritypolicyandoverallresponsibilities

c.Reviewofbusinesscriticalsecurityincidents

d.Approvalofmajorinitiativestoenhanceinformationsecurity

e.AllocationofthenecessaryresourcesforthedevelopmentandmaintenanceofanefficientDataandInformationSecurityManagementFramework

TheQuality&InformationSecuritySectionManagercoordinatesallthenecessaryactivitiesfortheestablishmentandmaintenanceoftheInformationSecurityManagementFrameworkwithmainresponsibilitiesto:

a）Coordinateandparticipateinthepreparationofallnecessaryinformationsecurityprocedures,guidelinesandworkinstructions

b）Proposeandcoordinatetheimplementationofspecificmethodologiesandprocessesforinformationsecurity,e.g.riskassessment,developmentofasecurityclassificationsystemetc.

c）Supportorganization-wideinformationsecurityinitiativese.g.securityawarenessprogram

d）Ensurethatinformationsecurityispartofeachdepartment’splanningprocess

e）Coordinatetheimplementationofspecificinformationsecuritymeasuresfornewsystemsorservices

f）Reviewcompliancetoinformationsecuritypolicy

g）Review,monitorandcoordinateevaluationandresponsetoinformationsecurityrelatedincidents

h）Coordinateandparticipateinsecurityassessments

i）RegularlyreporttotheITManagerandtheManagementTeamonthestatusoftheInformationSecurityManagementFramework.

1.5.2Allocationofinformationsecurityresponsibilities

Responsibilitiesfortheprotectionofindividualassetsandforcarryingoutspecificsecurityprocessesmustbeclearlydefined.

TheallocationofsecurityrolesandresponsibilitieswithinATHOCshouldbesupplemented,wherenecessary,withmoredetailedlocalinterpretationforspecificsites,systemsorserviceswhichmustclearlydefinelocalresponsibilitiesforindividualassets（bothphysicalandinformation）andsecurityprocesses,e.g.businesscontinuityplanning.

Thesecurityofaninformationsystemshouldbetheresponsibilityoftheownerofthatsystem.Ownersofinformationsystemsmaydelegatetheirsecurityauthority（powertoact）toindividualusers.Neverthelesstheyremainultimatelyaccountableforprotectingthesecurityofthesystem.

Toavoidanymisunderstandingregardingindividualresponsibilities,itisessentialthattheareasforwhicheachmanagerisresponsibleareclearlystated,withemphasisonthefollowing:

∙Thevariousassetsandsecurityprocessesassociatedwitheachindividualsystemshouldbeidentifiedanddefined.

∙Themanagershouldagreewithhis/herassetresponsibilities,whichshouldalsobedocumented.

∙Authorizationlevelsshouldbeclearlydefinedanddocumented.

Unlessotherwisedefined（anddocumented）,therelevantSectionManagershouldbenominatedas“SystemOwner”.

1.6AssociatedProcedures&Documents

∙Ν.2472/97γιατηνΠροστασίατουΑτόμουαπότηνΕπεξεργασίαΔεδομένωνΠροσωπικούΧαρακτήρα

∙ΔιαδικασίαΔιατήρησης&ΠροστασίαςΕγγράφων&Βιβλίων（Πληροφοριών）,01-07-99.

1.7GlossaryofTerms&Definitions

Availability-Ensuringthatinformationandvitalservicesareavailabletorequestorswhenrequired

Accountability-Theabilitytodetermineresponsibilityforactions

Confidentiality-Protectingsensitiveinformationfromunauthorizeddisclosureorintelligibleinterception

Data-Therepresentationoffacts,concepts,orinstructionsinaformalizedmannersuitableforcommunication,interpretation,orprocessingbyhumanorbyautomaticmeans

DuressAlarm-Mechanismbywhicharequestorcanindicatetothehostsystemthatalogonisbeingattemptedunderduress

Information-Themeaningthatiscurrentlyassignedtodatabymeansoftheconventionsappliedtothedata

InformationSecurity-Protectionofinformationforconfidentiality,integrityandavailability

Inform