My PERSONAL Computer
DATA CLASSIFICATION
When determining the level of security (location, access controls and passwords) to be applied to data, consideration is to be given to the following factors :
"Integrity" addresses the requirement for completeness, accuracy and resistance to unauthorised modification or destruction.
"Confidentiality" addresses the requirement to ensure privacy and to protect against disclosure to unauthorised parties.
"Availability" addresses the requirement for continuous delivery to the business processes and for the ability to recover in the event of a disruption.
Authentication
Where possible/practical all users of computer systems will be uniquely identified to the system being accessed.
All users where possible/practical will possess a user identifier (username userid) and associated passwords that are used by the computer system to authenticate their identity.
Users must not share their user identifier/passwords with others, nor must they allow another person to operate a session that they have established with a computer system.
Users must select passwords that are robust and must keep them secured against misuse and theft.
Users with dial-up access will not divulge the dial-up numbers, access password or any other information that may enable unauthorised users to gain dial-up access.
Users will be accountable for all actions performed under their user identifier.
There must be adequate controls over connections to external networks and terminal devices to assure the authentication of external users.
Access Control
Access to data and other Information Technology assets will be granted only to authenticated users, and on a strictly "need to know" basis and reviewed on a regular basis.
Authority to access Information Technology assets must be granted and revoked by ME.
Integrity
There must be adequate controls to ensure completeness and accuracy during the capture, storage, processing and presentation of data.
There must be adequate control measures to ensure that the computer system is able to resist compromise of its controls and that data is only able to be accessed through established routes.
Adequate measures must be taken to ensure that computer viruses are not introduced to the computing facilities which may impact on the integrity of the data and information.
Confidentiality
There must be adequate controls to ensure that data and the information derived from it are only disclosed to authorised users.
Adequate measures must be taken in the disposal of data, and computing facilities to ensure that information is not disclosed to unauthorised personnel.
Availability
There must be adequate measures to ensure that data can be delivered to business activities when required.
There must be adequate measures to ensure the recovery or replacement of Information Technology assets and resumption of business activities within an acceptable time-frame after any damage or disruption.
Conduct
All users of Information Technology assets must comply with prevailing legal, statutory and contractual requirements relating to the usage of those assets.