The prime objective is to protect the confidentiality, availability and integrity of the company’s information and information systems.
Information security policy
Ensure that IT staff and IT systems adhere to and enforce the company’s information security policies.
Maintain a current and comprehensive inventory of information systems, software licenses and services assigned to responsible individuals.
Ensure that all software and systems are kept up to date with the latest security patches.
Ensure that all changes to IT infrastructure are documented, tested and authorised.
Report and respond to security incidents or suspicious activity as quickly as possible following standard procedures for the collection of evidence.
Backup copies of information, software and system images shall be taken and tested regularly in accordance with the backup policy.
Ensure users are only provided with access to information, networks, and software that they have been authorised to use.
Ensure that all information systems have active malware detection, prevention and recovery controls.
Ensure firewalls configurations effectively prevent unauthorised inbound/outbound access and are limited to approved rules with business justification.
Maintain tamper-proof event logs to record administrator and user activities, exceptions, faults and information security alerts that can be used as an audit trail for troubleshooting or forensic investigation.
Ensure IT staff use standard configurations and documented procedures for installation and operation of information systems.
Ensure equipment and cabling is well maintained and protected from unauthorised access and disruption.
Maintain documentation on current network configuration including diagram and security controls.
Run regular internal vulnerability scans and address any medium or higher risks.
To ensure proactive management of IT environment:
|Backup: review and resolve||Daily|
|Antivirus: review and resolve||Daily|
|Logs: critical issues on key servers, unusual activity||Daily|
|Disk space on servers||Weekly|
Provide regular reports on the following:
|Access rights: List of active users and permissions||Quarterly|
|Assets: Additions, changes, disposal||Quarterly|
|Backups: List of backups completed and restores tested||Monthly|
|Incidents: List of incidents reported (resolved and unresolved)||Monthly|
|Patches: Number of systems patched and unpatched (known vulnerabilities)||Monthly|
|Utilisation: Software licenses||Quarterly|
|Utilisation: UPS test||Annually|