SGDP security policies

 1.Purpose 

The purpose of this procedure is to define specifics reported for the security policies adopted by the system

2.Applicability 

This procedure applies to all activities involved in the SGDP 

3.References 

SGDP system 

4.Responsibility and updating 

The RSGDP is responsible for implementing this procedure. 

5.Operational modes 

5.1.1 SGDP security management policy 

The objective of IT infrastructure security management is to ensure that systems, workstations, applications, network services, and processing services deliver processing performance at the defined levels and with the defined security requirements. 

The general principles under which to put in place secure systems management are also summarized below: 

• An inventory of hardware and software assets is maintained and updated; 
• Standard rules for installation and configuration of systems are applied; 
• system configurations are designed with current and future performance needs in mind; 
• system configurations are address as accomplished as possible built- in security and facilitate the installation of additional security measures; 
• standard procedures are adopted for configuring systems that address: disabling or restricting the use of some particular services; 
• restrictions on access to particularly critical system utilities and system setting functions; 
• Use of time-out functions; 
  
  • major update needs in terms of patches and security fixes;

• system configurations are stored and updated within a centrally governed file;
• system performance monitoring activities are conducted regularly in order to properly handle events, problems and incidents. 
  

An appropriate backup policy shall be prepared, possibly including remote backup, which of course shall be in accordance and consistent with the provisions of the preservation manual.

Supplier Security Policy.

With regard to the definition of security standards to be submitted to service providers who may play a decisive role in the SGDP, special letters of assignment are provided for each with the specifications to be implemented within the scope of the type of data to be processed on behalf of the Organization. Such processing must be guaranteed with appropriate security measures to be taken by the providers themselves.

5.1.2 Physical access control policy 

Appropriate physical access control arrangements are in place, providing for, the following classes of access: 

• • staff of the organization; 
  • Personnel from outside vendors; 
  • Staff of the administration(s) served by the system; 
  • personnel delegated by the organization (e.g., personnel performing maintenance/repair, etc.).
    
    

5.1.3 Policy for user entry and logical access control 

How users are entered on the Organization’s information system, is assigned to the System Administrator (or if not provided by the SGDP manager), including the assignment of permissions for access to the organization’s systems, applications and applications; 

The Administrator also provides the arrangements for deletion or change of authorization, with specific reference to the document retention system. 

5.1.4 Workstation management policy 

The essential elements of this policy are: 

• Minimum elements provided by definition of “workstations.” 
• Rules for installing software on workstations; 
• rules for updates; 
• Rules for limiting connectivity to external media (CD/DVD, Pen Drive, etc.); 
• rules for changing settings. 

These activities are defined and implemented by the System Administrator (or if not provided for by the SGDP manager). 

5.1.5 Application content management policy 

Activities regarding system maintenance, checking the software content of clients in order to verify the absence of malicious code and compliance with what is authorized and provided for in the user licenses, is carried out by the System Administrator (or in case it is not provided for by the Resp Electronic Tools Maintenance – RMSE). 

5.1.6 Policy on management, decommissioning and disposal of mobile equipment and media 

Special attention is paid to the management of mobile devices (laptops, tablets, smartphones, cell phones, etc.) and media external to servers and workstations such as: External HDs/CDs/DVDs/Pen Drives/DAT/LTOs, etc., as well as printed paper, that are used and/or produced as part of document preservation activities. 

The System Administrator (or in case it is not foreseen by the Resp Resp Electronic Instruments Maintenance – RMSE) defines the rules, as well as how to use and store the devices, including those for decommissioning/destroying the devices and media. 

5.1.7 Communication channel management policy 

Communication channels such as e-mail, instant messaging systems, VoIP, Internet, wireless access, fax machines, scanners, and photocopiers are controlled in order to preserve the confidentiality, and integrity of information in transit, and at the same time to prevent the misuse that could be made of such communication tools. 

Accordingly, the type of controls covers issues of appropriate use of the instrument, issues of instrument user behavior, and the technologies involved. 

5.1.8 Maintenance of security policies. 

Provision is made for the refinement, disclosure and review of security policies upon the occurrence of the following cases: 

• safety incidents; 
• significant technological changes; 
• Changes to the IT architecture; 
• Updates of regulatory requirements; 
• Results of any internal audit activities. 

In this regard, appropriate training is provided to all personnel of the Organization periodically. 

DOWNLOAD PDF