30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

Our registry operator HKIRC has set up an Information Security Management Systems (ISMS) according to the international standard ISO-27001. With this information security framework, HKIRC is able to design, implement and maintain a coherent suite of processes and systems for effectively managing information security and minimising information security risks.
HKIRC conducts security audits by independent parties every two years. Independent assessments reports are produced, they are approved by an audit committee formed by the broad of directors. Risks and threats found will be prioritised and followed up with actions plans and reviewed by regular management cycle.
A summary of HKIRC’s security policy is given below.

PURPOSE
This document constitutes a summary of an Information Technology (IT) Security Policy that internal and related external parties of the Organisation shall observe and follow. For the purposes of this Policy the process used is based on the PDCA model shown in Figure 1 (attached).

PDCA Model applied to ISMS processes:
Plan (establish the ISMS) - Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organisation’s overall policies and objectives.
Do (implement and operate the ISMS) - Implement and operate the ISMS policy, controls, processes and procedures.
Check (monitor and review the ISMS) - Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.
Act (maintain and improve the ISMS) - Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.

The process approach for information security management in this Policy encourages its users to emphasise the importance of:
a) understanding an organisation’s information security requirements and the need to establish policy and objectives for information security;
b) implementing and operating controls to manage an organisationʹs information security risks in the context of the organisation’s overall business risks;
c) monitoring and reviewing the performance and effectiveness of the ISMS; and
d) continual improvement based on objective measurement.
SCOPE
This document addresses security considerations in the following areas:
a) Organisation of Information Security
b) Management Responsibilities
c) Risk Assessment and Treatment
d) Asset Management
e) Human Resources Security
f) Physical and Environmental Security
g) Communications and Operations Management
h) Access Control
i) Information Systems Acquisition, Development and Maintenance
j) Information Security Incident Management
k) Business Continuity Management
l) Compliance
Reference, definitions and conventions
STANDARDS AND GUIDELINES
a) ISO27001:2005 “Information technology — Security techniques — Information security management systems — Requirements”
b) ISO17799:2005 “Information technology — Security techniques — Code of practice for information security management”
c) AS⁄NZS 4360:2004 “Risk Management”
Risk Assessment, Audit and Management Review
RISK ASSESSMENT
Security objective: To identify and evaluate risks of the information and information systems of the Organisation.
AUDIT
Security objective: To review the effectiveness of the security controls.
Audit shall be conducted at planned intervals to determine whether controls objectives, controls, processes and procedures of its Information Security Management System:
a) conform to the identified information security requirements;
b) are effectively implemented and maintained; and
c) performed as expected.
An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined.
The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work.
The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results.
MANAGEMENT REVIEW OF THE ISMS
Management shall review the organisation’s ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
The Management review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives. The results of the reviews shall be clearly documented and records shall be maintained.
ISMS IMPROVEMENT
The organisation shall continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review.
The organisation shall take action to eliminate the cause of nonconformities with the ISMS requirements in order to prevent recurrence.
The organisation shall determine action to eliminate the cause of potential nonconformities with the ISMS requirements in order to prevent their occurrence. Preventive actions taken shall be appropriate to the impact of the potential problems.
The organisation shall identify changed risks and identify preventive action requirements focusing attention on significantly changed risks. The priority of preventive actions shall be determined based on the results of the risk assessment.
Information Security Management Framework
Security objective: To establish a framework for the management of Information Security within Organisation to initiate and control the implementation of Information Security within Organisation.
The attached diagram (Figure 2) describes the IT Security organisational framework of the Organisation:
SENIOR MANAGEMENT
Management shall commit to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by:
a) establishing an ISMS policy;
b) ensuring that ISMS objectives and plans are established;
c) establishing roles and responsibilities for information security;
d) communicating to the organisation the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement;
e) providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS;
f) deciding the criteria for accepting risks and the acceptable levels of risk;
g) ensuring that ISMS audits are conducted; and
h) conducting management reviews of the ISMS.
INFORMATION SECURITY MANAGEMENT COMMITTEE (ISMC)
The Organisation shall establish an Information Security Management Committee (ISMC) to oversee the IT security within the whole Organisation. The committee meets on a regular basis to:
a) Review and endorse changes to the IT security related policies and guidelines;
b) Review and endorse the criteria for accepting risks and the acceptable levels of risk;
c) Define specific roles and responsibilities relating to IT security; and
d) Provide guidance and assistance to departments in the enforcement of IT security related policies.
The core members of ISMC comprise representatives from:
a) Senior staff(s) from user departments.
b) Information Security Officer.
Representative(s) from other departments will be co-opted into the Committee on a need basis, in relation to specific subject matters.
INFORMATION SECURITY OFFICER (ISO)
The Organisation shall appoint Information Security Officer (ISO) to be responsible for IT security. The roles and responsibilities of ISO shall be clearly defined which include but are not limited to the following:
a) Establish and maintain an information protection program to assist all employees in the protection of the information they use;
b) Lead in the establishment, maintenance and implementation of information security policies, standards, guidelines and procedures;
c) Coordinate with other organisations on IT security issues;
d) Disseminate security alerts on impending and actual threats within the Organisation;
e) Ensure information security risk assessments are performed as necessary;
f) Initiate investigations and rectification in case of breach of security.
g) Monitor the compliance with the IT Security Policy; and
h) Promote IT security awareness within the Organisation.
INFORMATION SECURITY INCIDENT RESPONSE TEAM (ISIRT) COMMANDER
The ISIRT is the central focal point for coordinating the handling of information security incidents occurring within the Organisation. The Management should designate an officer from the senior management to be the ISIRT Commander. The ISIRT Commander should have the authority to appoint core team members for the ISIRT.
a)
INFORMATION SECURITY ADMINISTRATORS
Information Security Administrators are responsible for providing security and risk management related support services. They assist in identifying system vulnerabilities and performing security administrative work of the system.
INFORMATION OWNERS
Information Owners are the collators and the owners of information stored in databases and data files.
NETWORK ⁄ SYSTEM ADMINISTRATORS
Network ⁄ System Administrators are responsible for the day-to-day administration, operation and configuration of the computer systems and network in, whereas Internet System Administrators are responsible for the related tasks for their Internet-facing Information Systems.
APPLICATION DEVELOPMENT & MAINTENANCE TEAM
The Application Development & Maintenance Team is responsible for producing the quality systems in the use of quality procedures, techniques and tools.
USERS OF INFORMATION SYSTEMS
Users of Information Systems are the staff who actually use the information and shall be accountable for all their activities on the Information Systems.
Asset Management
RESPONSIBILITY FOR ASSETS
Security objective: To achieve and maintain appropriate protection of organisational assets.
INFORMATION CLASSIFICATION
Security objective: To ensure that information receives an appropriate level of protection.
Human Resources Security
HUMAN RESOURCES SECURITY
Security objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.

DURING EMPLOYMENT
Security objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organisational security policy in the course of their normal work, and to reduce the risk of human error.
TERMINATION OR CHANGE OF EMPLOYMENT
Security objective: To ensure that employees, contractors and third party users exit an organisation or change employment in an orderly manner.
Physical and Environmental Security
SECURE AREAS
Security objective: To prevent unauthorised physical access, damage and interference to the organisation’s premises and information.
EQUIPMENT SECURITY
Security objective: To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s activities.
Communications and operations management
OPERATIONAL PROCEDURES AND RESPONSIBILITIES
Security objective: To ensure the correct and secure operation of information processing facilities.
THIRD PARTY SERVICE DELIVERY MANAGEMENT
Security objective: To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.
SYSTEM PLANNING AND ACCEPTANCE
Security objective: To minimise the risk of systems failures.
PROTECTION AGAINST MALICIOUS AND MOBILE CODE
Security objective: To protect the integrity of software and information.
BACK-UP
Security objective: To maintain the integrity and availability of information and information processing facilities.
NETWORK SECURITY MANAGEMENT
Security objective: To ensure the protection of information in networks and the protection of the supporting infrastructure.
MEDIA HANDLING
Security objective: To prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption to business activities.
EXCHANGE OF INFORMATION
Security objective: To maintain the security of information and software exchanged within an organisation and with any external entity.
ELECTRONIC COMMERCE SERVICES
Security objective: To ensure the security of electronic commerce services, and their secure use.
MONITORING
Security objective: To detect unauthorised information processing activities.
Access control
BUSINESS REQUIREMENT FOR ACCESS CONTROL
Security objective: To control access to information.
USER ACCESS MANAGEMENT
Security objective: To ensure authorised user access and to prevent unauthorised access to information systems.
USER RESPONSIBILITIES
Security objective: To prevent unauthorised user access, and compromise or theft of information and information processing facilities.
NETWORK ACCESS CONTROL
Security objective: To prevent unauthorised access to networked services.
OPERATING SYSTEM ACCESS CONTROL
Security objective: To prevent unauthorised access to operating systems.
APPLICATION AND INFORMATION ACCESS CONTROL
Security objective: To prevent unauthorised access to information held in application systems.
MOBILE COMPUTING AND TELE-WORKING
Security objective: To ensure information security when using mobile computing and tele-working facilities.
Information systems acquisition, development and maintenance
SECURITY REQUIREMENTS OF INFORMATION SYSTEMS
Security objective: To ensure that security is an integral part of information systems.
CORRECT PROCESSING IN APPLICATIONS
Security objective: To prevent errors, loss, unauthorised modification or misuse of information in applications.
CRYPTOGRAPHIC CONTROLS
Security objective: To protect the confidentiality, authenticity or integrity of information by cryptographic means.
SECURITY OF SYSTEM FILES
Security objective: To ensure the security of system files.
SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES
Security objective: To maintain the security of application system software and information.
TECHNICAL VULNERABILITY MANAGEMENT
Security objective: To reduce risks resulting from exploitation of published technical vulnerabilities.
Information security incident management
REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES
Security objective: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS
Security objective: To ensure a consistent and effective approach is applied to the management of information security incidents.
Business continuity management
INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
Security objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
Compliance
COMPLIANCE WITH LEGAL REQUIREMENTS
Security objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.
COMPLIANCE WITH SECURITY POLICIES AND STANDARDS, AND TECHNICAL COMPLIANCE
Security objective: To ensure compliance of systems with organisational security policies and standards.
INFORMATION SYSTEMS AUDIT CONSIDERATIONS
Security objective: To maximize the effectiveness of and to minimize interference to⁄from the information systems audit process.

Appendix
Appendix A, FIGURE 1 and FIGURE 2

Similar gTLD applications: (0)