SSAFA Volunteer Knowledgebase

IT Standards Policy

Updated on

The IT Standards policy is an internally facing policy that states the minimum standards to which the IT department aligns itself. It is required for audit purposes but also sets oout to align to common best practice.

Purpose

  • To state minimum standards and ensure compliance to GDPR and other auditable standards.
  • To maintain best practice.
  • To align to specific and/or required standards that our contracts or partners dictate.

Scope

This policy covers all IT systems, services and practices that are led by the SSAFA IT department, including centrally managed cloud-based services, for example, Office 365 or Dynamics 365. These services may be offered to staff, partners, “Service Users” (clients of H&SC), consultants and volunteers or any combination thereof.

Policy

It is SSAFA IT policy the following minimum standards are maintained:

It is SSAFA policy that the minimum standards are maintained:

  • Government’s Cyber Security Essentials [PLUS] (annually)
  • Penetration testing via AppCheck (at least annually)
  • Application testing of web-based services such as the main website and CMS system via AppCheck (at least quarterly)
  • That all relevant and in-scope servers, applications and services are patched within the relevant timeframes (14 days for critical or security related patches / 30 days for non-critical)
  • Software, platforms and web based services/applications purchased must be supported by the vendor/manufacturer for at least one year after the purchase date and additionally approved by IT to ensure compatibility between all existing hardware and software.
  • That key changes are logged, documented, subject to approval and only implemented once risk and impact have been minimised.
  • That all new assets (software, hardware, subscriptions/services etc) introduced to the organisation goes through a thorough vetting process before (potentially) being approved. (Required as part of Cyber Security Essentials: - “maintaining an approved software whitelist”.)
  • Employees are trained and tested as “human firewalls” at least annually, with access to IT systems dependent on a successful pass, to reduce risk and exposure to malware.
  • Employees and volunteers are kept up to date via security blogs and scam alerts at least twice per month.
  • That phishing simulations will be targeted at all people at least twice per year to trend risk exposure.
  • That anti-malware solutions are in place and centrally governed for all Windows based computing devices.
  • That all mobile access to systems or data is managed through an MDM portal (mobile device management) to ensure compliance and encryption standards are met. (Required as part of Cyber Security Essentials: - “controlling access to data with mobile devices”)
  • All mobile devices are encrypted to a minimum standard.
  • That all on premises servers are backed up to the Acronis DR cloud to mitigate ransomware attacks and data loss.

Graphical overview

Identify Governance & compliance IT Policy in place
DLP monitoring flags non-compliance
365 Reporting and alerting in place
Risk management IT Risk register in place for local risks
Org risk register in place and references top cyber risk(s) and controls
Protect User access Manage with RBAC principles
Regular reviews/reports in place
MFA activated
Awareness training Security blogs and scam alerts deployed to all people regularly
Awareness videos/training material regularly promoted to all
Certification / Audits Cyber Essentials renewed yearly
Regular external reviews by Mazars
Patch management All critical patches deployed within 14 days
Nessus proactively scanning all server-based resources and highlighting remediation necessary
Patches automated and reportable
Detect Malware Anti malware solutions in place using signatures
Machine learning employed for all executables so they are fingerprinted and blocked by default until vetted
Endpoint/Firewall Threat detection sensors in place
Pen tests and app checks carried out quarterly and externally
Reporting AD reports used to ensure users and groups are appropriately configured
365 reports are used to ensure compliance
Respond Incident response Root cause analysis and lessons learnt at the heart of response
Management team standing agenda item to review incidents or potential risks
Recover Planning Recovery to BaU runbooks in place
Testing DR tests carried out annually with staff
Previous Article Mobile Policy
Next Article Public-Facing Complaints Policy