Scribd
Upload
40 views

IT Operations - Document Operating Procedures

This document outlines procedures for documenting and controlling IT operations documents for an Information Security Management System (ISMS). It describes obtaining approval for documents, recording changes, and defining terms. It also summarizes the management framework, and procedures for implementing controls. Document control procedures are defined, including classification, circulation, retention, and record keeping. Security of documentation is addressed, including storage of paper and electronic copies, backups, and document destruction.

Uploaded by

Agung Prasetyo
Copyright
© © All Rights Reserved
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
40 views

IT Operations - Document Operating Procedures

This document outlines procedures for documenting and controlling IT operations documents for an Information Security Management System (ISMS). It describes obtaining approval for documents, recording changes, and defining terms. It also summarizes the management framework, and procedures for implementing controls. Document control procedures are defined, including classification, circulation, retention, and record keeping. Security of documentation is addressed, including storage of paper and electronic copies, backups, and document destruction.

Uploaded by

Agung Prasetyo
Copyright
© © All Rights Reserved
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
You are on page 1/ 10

Document No.

IT Operations
ISMS/DOP/001
Documented Operating
Procedures

1. Approval and Authorisation

Completion of the following signature blocks signifies the review and approval of this Process

Name Job Title Signature Date


Authored by:- Network/Systems Supervisor 13th. November, 01
<Name>
Approved by:- Information Security Officer
<Name>
Authorised by:- Finance & IT Director
<Name>

2. Change History

Version Date Reason


th
Draft 1.0 8 . September,01 First draft for comments

Version 1.0 13th. November, 2001 First Version

443092927.rtf <Date> Page 1 of 10


Uncontrolled Copy When Printed
Document No. IT Operations
ISMS/DOP/001
Documented Operating
Procedures

3. Contents

1. Approval and Authorisation....................................................................................1

2. Change History........................................................................................................ 1

3. Contents...................................................................................................................2

4. Definitions Used in this Report ..............................................................................3

5. Document Referred..................................................................................................3

6. Document Operating Procedures...........................................................................4

7. Document Control....................................................................................................5

8 Securitry of Documentation....................................................................................5

9. Project Documentation Details...............................................................................7

10. Operational procedures Documents......................................................................8

11. Appendix 1............................................................................................................. 10

443092927.rtf <Date> Page 2 of 10


Uncontrolled Copy When Printed
Document No. IT Operations
ISMS/DOP/001
Documented Operating
Procedures

4. Definitions in this report


Trust xxxxxx NHS Trust
LAROC Name of the Trust Network System
SoA Statement of Applicability
ISMS Information Security Management System
RA Risk Assessment

443092927.rtf <Date> Page 3 of 10


Uncontrolled Copy When Printed
Document No. IT Operations
ISMS/DOP/001
Documented Operating
Procedures

5. Documented Operating Procedures


Objective
The purpose of this document is to give a broad outline of the various aspects of Information Security
Procedures, guiding the users to more specific processes applicable to the systems used in the NHS
Purchasing and Supply Trust.

Process
Following steps are taken to identify and document the control objectives and security controls in the
Information Security Policy approved by senior management:

a) Evidence of the actions:

0 The information security policy is defined in the ISMS


1 The scope of the information security management is defined in ISMS
2 A preliminary risk assessment is and subsequent controls are identified in this
document. A full risk assessment is undertaken by specialist consultant to determine the
degree of risks and the results will be included in the RA document.
3 The area of risk to be managed are identified and explained in the risk matrix in RA
4 Appropriate security controls are selected and procedures/methods are documented
as below:

Security organisation – document ref. ………….


Asset classification and control – document ref….
Personnel security – SoA ;document ref…..
Physical security – SoA ; document ref…..
Access control – SoA ; document ref…..
Business continuity – SoA ; document ref…..
Compliance and audit – SoA ; document ref….

b) A summary of the management framework - including:

1. information security policy document – as in 6a


2. control objectives and implemented controls as in 6a
3. statement of applicability – SoA ; document ref ISMS/SOA/001
4. management forum – document ref. ISMS section 6.1

c) Procedures to implement the security controls are documented independently and


listed in section 6a above

d) Management procedures are documented in two sections:

1. Security organisation – ISMS document ref…..


2. Operations management – ISMS document ref.…

443092927.rtf <Date> Page 4 of 10


Uncontrolled Copy When Printed
Document No. IT Operations
ISMS/DOP/001
Documented Operating
Procedures

7. Document control
Objective
To ensure that documents in use in connection with ISMS project are controlled in a systematic
manner.

Responsibilities
The IT Operations manager shall ensure that all ISMS project documents are controlled and that
proper records are maintained

Process

1. correspondence documents consist of all the general correspondence of the project:

 Copies of all outgoing and incoming mail of all correspondence shall be retained in
the project file(s)
 The circulation of all correspondence shall be annotated as being, confidential, for
information, action or discussion
 Individual IT staff may maintain working files but these should not retain original
documents.

2. project documentation shall include:

a) project reports and plans


b) technical reports
c) specifications
d) instructions
e) computerised data
f) controlled documents

3. controlled documents shall be clearly identified according to this procedure and recorded.
Use of non-controlled documents shall be strictly limited.

4. All reports, logs, forms and procedures created by the IT Operations shall be signed and
controlled in accordance with this procedure

5. All manufacturers original instruction manuals shall be retained by the IT Operations.

443092927.rtf <Date> Page 5 of 10


Uncontrolled Copy When Printed
Document No. IT Operations
ISMS/DOP/001
Documented Operating
Procedures

8. Security of Documentation - Record Keeping


Objective
To define and describe the procedure for managing ISMS records

Process
This procedure covers the identification, logging and preparation of records for submission to central
archive.

All paper records related to the ISMS shall be kept in a fire safe and will be available for inspection
upon request from IT Operations manager.

All electronic records related to the ISMS will be available on the Trust’s network server in a secure
folder with READ ONLY access

A second copy of documents related to the ISMS will be available on a CD as a backup and will be
kept off site

Uncontrolled copies of documents relating to information security management will be available on the
Trust’s Intranet to authorised users

Documents shall be registered and be retained for not less than 3 years

Where records have been reviewed and subsequently destroyed, this shall be noted in a register held
by IT operations

443092927.rtf <Date> Page 6 of 10


Uncontrolled Copy When Printed
Document No. IT Operations
ISMS/DOP/001
Documented Operating
Procedures

9. Project Documentation Details:


Document Reference Issue Date Approved Change BS7799- Document
name number number issued request 2 Ref. owner
Implementation
Information
Security Policy
Welcome Pack

Helpdesk
Procedures
Information
Security Risk
Assessment
Statement of
Applicability
IT Security
Audit Plans
and Records
Audit Strategy

443092927.rtf <Date> Page 7 of 10


Uncontrolled Copy When Printed
Document No. IT Operations
ISMS/DOP/001
Documented Operating
Procedures

10. Operational Procedures Documents


Document Name Document Ref. Change Issue Date Document Approved
Request No. Issued Owner
Secure Disposal or
Re-use of
Equipment
Management of
Removable
Computer Media
Removal of
Property
Terminal Log-on
Event Logging
Monitoring System
Use
Documented
Operating
Procedures
Operator Log
Fault Logging
Security of System
Documentation
Controls Against
Malicious Software
User Registration
Business
Continuity
Management
process
Business
Continuity and
Impact Analysis
Writing and
Implementing
Continuity Plans
Business
Continuity Planning
Framework
Testing,
Maintaining and
Re-Assessing
Business
Continuity Plans
Disposal of Media
Information
Handling
Procedures
User Authentication

443092927.rtf <Date> Page 8 of 10


Uncontrolled Copy When Printed
Document No. IT Operations
ISMS/DOP/001
Documented Operating
Procedures
for External
Connections
Operational
Change Control
Information Backup
Information
Security Policy
Document
Data Protection
and Privacy of
Personal
Information
Power Supplies
Cabling Security

Including Security
in Job
Responsibilities
Equipment Siting
and Protection
Policy on Use of
Network Services
Mobile Computing
Teleworking
Incident
Management
Procedures
Access Control
Policy
Privilege
Management
Security of
Equipment Off-
premises
Enforced Path
Network Routing
Control
Equipment
Maintenance
Security of Network
Services

443092927.rtf <Date> Page 9 of 10


Uncontrolled Copy When Printed
Document No. IT Operations
ISMS/DOP/001
Documented Operating
Procedures
Appendix 1 - Document Owners
Initial Full name Responsibilities Location
s (Example)
Helpdesk Administrator

Facility Manager

Data Protection Officer


Network Systems
Supervisor
IT Operations Manager
Information Security
Consultant
Technical Support Officer

Director of Finance & IT

Helpdesk Manager

Infrastructure Manager

443092927.rtf <Date> Page 10 of 10


Uncontrolled Copy When Printed

You might also like