IT Department Operational Procedures - WITGwit.onestops.com/site/wp-content/uploads/2013/07/Workforce-Alliance-Technology...7 as the operating system. The initial software install

1 | P a g e

Workforce Alliance

IT Department Operational Procedure

WORKFORCE ALLIANCE

Information Technology Department

IT Department Operational Procedures

I N F O R M A T I O N T E C H N O L O G Y D E P A R T M E N T

Operational Procedures

Workforce Alliance 1951 North Military Trail• Suite D

West Palm Beach, FL 33409 Telephone: (561) 340-1060

i | P a g e

Workforce Alliance


Table of Contents

IT Operation Structure …………………………………………...………3 Resources and Equipment ….…………............................................4 Purchasing and Replacing Computers for Workforce Alliance…..….6 Backup and Disaster Recovery………………………………….………7 Network Backup Flow Chart ……..……………………………..………10 Daily Maintenance Backup Procedure…………………………..…….11

Systems Documentation ………………............................................14 Network Structure ……………………………………….………….……12 Backup Tapes-Removing offsite tapes ……………….…………..….14 Systems Documentation Inventory and Policy…………………..…. 18 Inventory Database……………………………………………………..19

Network Structure…………………………………………………..…...22 Network Access …………………………………………………………24 Network Security ………………………………………………………..25 Internet Use …………………………….............................................28

E-Mail Use ………………………………............................................30 Requests for Service…………………………………………………….32

Monitoring, recording and reporting information system and/or information security breaches …………………………………………………….……33

ii | P a g e

Workforce Alliance


Purchasing Procedure …………………...........................................35

THIS HANDBOOK IS NOT INTENDED TO CREATE, NOR IS IT TO BE INTERPRETED AS TOCREATE, A LEGALLY BINDING

CONTRACT BETWEEN THE WORKFORCE ALLIANCE STAFF AND ANY OF ITS EMPLOYEES.

In the event that the terms of this handbook conflict with the written and approved personnel

policies of the Workforce Alliance, the policies of Workforce Alliance shall be controlling.

IT Operational Structure

he IT Department at the Workforce Alliance has responsibilities in many areas to include: Network infrastructure and telecommunications which includes site-to-site connectivity, internet access and telephone systems in addition to the maintenance and control of hardware/software

for multiple departments.

Infrastructure This core responsibility of the Workforce Alliance IT Director along with its staff members is to maintain the four (4) office’s LAN/WAN infrastructure which includes 33 physical and virtual servers, three (3) VMWare VSphere hosts, two (2) NetAPP2240 SAN (Storage Area Networks) including a DR (disaster recovery site) 625 computer/laptops, network devices to include routers, switches, firewalls, security appliances, applications, and databases. The security and integrity of the information systems at Workforce Alliance is the primary concern of the IT Department.

Infrastructure is further divided into two major components: network and applications. The network component focuses on the LAN, from the media and network appliances to the addressing schemes, network services, and the hardware aspect of all nodes and equipment.

IT Department Job Descriptions The Director’s primary responsibility is to oversee the streamlined operation of Workforce Alliance’s Infrastructure and IT department and to ensure it aligns with the business objectives of the organization. Director daily responsibilities: Manage Exchange 2003/2010 services, internal/external security appliances with a separate email firewall, Cisco network routers, switches, 33 virtual/physical servers, 625 desktops, email servers, VPN hardware/software equipment, NetAPP SAN (Storage Area Networks), 3 VMWare Virtual hardware/software host which holds all Workforce Alliance data. Disaster Recovery hardware/software appliances that will soon to be deployed EOC category 5 building and manage a staff of 4. I am currently the Region21 RSO for EFM, OSST, DCF. In addition, also responsible for IT Budgets, coordinate projects for all departments, purchase all hardware and software for Workforce Alliance. Provide support for HR/Payroll system in addition to maintaining the Polycom Audio/Video conferencing equipment for all sites.

DBA daily responsibilities:

T

2 | P a g e

Workforce Alliance


Eric Tremelling – Database Administrator, Eric is responsible for maintaining multiple SQL Databases, Internal and External Websites, development of Web Based applications as needed by Workforce Alliance. Also maintains the backup software for Workforce Data. Provides support for the HR/Payroll system support as needed, Intranet-Sharepoint support, CRM and Backup.

IT Technician daily responsibilities: Chuck Hunter -The IT Technician provides support within the organization’s 625 desktops computing environment and includes installing, diagnosing, repairing, and maintenance to ensure optimal performance for computers, printers and the various desktop automation software. Inventory

IT Technician daily responsibilities: Tim Moss -The IT Technician provides support within the organization’s 625 desktop computing environment and includes installing, diagnosing, repairing, and maintenance to ensure optimal performance on printers and the various desktop automation software. Inventory

Resources and Equipment

The IT Department has jurisdiction over all computer workstations, network devices, software, and all other computer/telephony components and accessories. Within the guidelines established through Workforce Alliance policies, the Director of Information Technology has the discretionary power to allocate these resources as required, to establish proper-use procedures, and the ability to delegate these functions to other authorized staff members. The purchase, modification, or placement on the network or existing systems of any of the aforementioned items must be authorized by the Director of Information Technology, or by an officially designated proxy.

All software and hardware relating to computer/network/telephony systems will be inventoried and

maintained according to the IT Department Policies, and within the appropriate subsections of the IT

Operational Procedures. This subsection details the procedures established by the IT Department to ensure proper-use and the compliance to policies regarding IT resources and equipment.

Workstations: All staff members will be given the use of a computer in their office with access to the Workforce Alliance network. Modifications to staff workstations including the addition or removal of hardware or software are not allowed without prior approval of the IT Department.

Every workstation will be able to print on at least one network printer and one backup printer (one of which will be color).

Individual desktop printers will not be available unless if the Director of Information Technology deems it necessary under special circumstances.

Unless otherwise authorized by the Director all workstations will use Windows XP Pro or Windows 7 as the operating system. The initial software install on the system will include MSOffice (Standard or Professional), Internet Explorer, Acrobat Reader, and Symantec Anti-virus Corporate Edition.

Access to the Internet will be through Internet Explorer and e-mail will be through the Workforce Alliance’s email system.

Additional hardware and software may be requested by filing the proper form with the Director or their immediate supervisor.

3 | P a g e

Workforce Alliance


Training Rooms, Conference rooms and staff Workstations: Dedicated workstations for Workforce Alliance use will be located at various locations of the four (4) sites. Only authorized staff with a proper username and password may use these computers. All staff workstations will be connected to the network and have access to a network printer. Staff are not allowed to make any hardware or software modifications to any computer system.

The Training Rooms are under the supervision of the IT Department. All modifications to the workstations located in these rooms need to have his or her approval or must be directly authorized by the Director.

All modifications to the workstations in the various classrooms/labs and in the career centers must be authorized by the Director (or authorized representative) and will be performed by IT personnel.

Internet access and email access can only be through authorized programs (Internet Explorer and the Workforce Alliance email server).

No streaming media applications, instant messaging, or chat rooms are to be utilized on any workstations unless authorized by management.

Public Resource Rooms: Customers and Employers are only allowed to access Workforce Alliance in pre-approved locations. The individual in charge of this area will maintain a login sheet that will record the name of the person, the station being used, and date and time (on and off) that this person was on the system. The user will then be provided with a visitor username and password.

Currently the Resource Rooms located in Boca Raton, Belle Glade and Pine Trail are the only authorize public access locations.

Printers, Copiers, Faxes, Scanners, and Other Shared Devices: All shared devices, either on the network or stand-alone equipment, are under the province of the IT Department. Only IT personnel or specifically authorized staff will service these items.

All equipment of this nature that is placed on the Workforce Alliance network is under the direct supervision of the IT Department.

IT Loaner Equipment: Workforce Alliance owns a number of items that are of a portable nature that are available for use by staff members with the approval of the Director or staff’s immediate supervisor. When not in use these items will be stored in IT cabinets/closets, which will be locked at all times when not under the direct supervision of an authorized IT staff member.

The Director and designated IT staff members will be assigned the key(s) for the storage area(s). Only these individuals have the authorization to access the IT Loaner equipment area(s).

The IT Department will maintain a list of items available for loan. This list will be located in the Workforce Alliance inventory system. These items will be inventoried according to subheading

Systems Documentation.

Only staff members can check out items from the IT Department Room. To checkout an item the individual must contact one of the authorized IT staff members.

Certain items may be reserved by contacting an authorized IT staff member who will place the information on a calendar kept for that purpose.

Adopted by the Workforce Alliance

Once an individual signs-out an item he or she assumes full responsibility until returned.

4 | P a g e

Workforce Alliance


The individual that signed for the item must return it on or prior to, the due date/time to an authorized IT staff member, and report any known problems with the item. The IT member is required to at least spot check the item for any obvious damage or missing components. He or she will then record its return in the inventory system and will report any irregularities to the Director or

IT.

Purchasing and Replacing Computers for Workforce Alliance

When purchasing a PC for a Workforce Alliance staff member or for public use, IT first and foremost considers the programs utilized by each staff member to assure that the PC being purchased has enough power and disk capacity to adequately run the programs of Workforce Alliance. In addition, a computer should provide a minimum of 4-5 years of sound performance with minor maintenance and be purchased with a reasonable maintenance contract for 4-5 years to eliminate maintenance cost and minimize IT support of each computer. The following applications are utilized by Workforce Alliance staff and require above average hardware to run efficiently.

1. Desktop Automation – MSOffice 2007 or MSOffice 2010 suite which includes MS Word, Excel Spreadsheet, Access database, Publisher, Visio Design Software, PowerPoint and MSProject.

2. Special Applications – Payroll, Accounting, Finance, Oracle Database, Sage etc. 3. State Systems – DCF, DMS, FDLS. 4. Once the software and hardware needs have been accessed, we get a minimum of three (3) quotes

from reputable vendors and state contract holder that provide Government/Non-For-Profit Vendor pricing, a 3 year maintenance contract and finally purchase computers from the vendor with the best price.

Four to five year replacement rule of thumb 1. When the cost of repairing a computer will exceed the cost of replacement, then it is time to

replace. 2. Computer Applications also dictate changing out a computer. Microsoft office 2010 has a

requirement for higher processor, RAM and disk space needs. 3. Based upon experience with the continuing changes and improvements in desktop computing

capabilities, it is recommended that a four to five year replacement cycle will create an adequate platform to support standard business applications. However, each computer should be assessed on a regular basis to ensure that it continues to support the unique work applications of its user.

Notes

1. Note on 64-bit versions of Windows: Most applications and services commonly used at Workforce Alliance will run under 32-bit versions of Windows, however, all new versions of software are now requiring a 64-bit processor and OS versions.

2. Note on Windows XP and Windows Vista Home Editions: Home additions are not recommended for faculty and staff computers. These versions are not compatible with the Workforce Alliance infrastructure.

5 | P a g e

Workforce Alliance


Backup and Disaster Recovery plan via Remote Login Utilizing Terminal Services to Co-Location

EOC Category 5 Building

REMOTE USERS

COLO VPN

Terminal Server RDP or Website

Terminal Services Sessions

6 | P a g e

Workforce Alliance


NETWORK BACKUP FLOW CHART

7 | P a g e

Workforce Alliance


Daily Backup Maintenance

8 | P a g e

Workforce Alliance


Logon to the backup server: 1. logon to beets. 2. Start Symantec backup exec 2012 for windows servers . Check Jobs: 1. Click the job monitor tab. 2. Look at the Job History, Job status for successful completion of the scheduled jobs. 3. Double click the completed job for a report. Check Alerts: 1. Click the Alerts icon. 2. Double click the alert for more info or to acknowledge. Check Media: 1. Click the media tab. 2. Click the 5_week media set. 3. Verify there is enough overwriteable or appendable media for the scheduled jobs. 4. Click the Netappprod1 media set. 5. Verify there is enough overwriteable or appendable media for the scheduled jobs. Verify there is enough disk space on drive D and E for the backup to disk files

Offsite Backups

9 | P a g e

Workforce Alliance


How to select tapes to move offsite. Logon to the backup server: 1. Logon to beets. 2. Start Symantec backup exec 2012 for windows servers. Select Media: 1. Click the job Storage tab. 2. Under job history, check the properties of the following jobs to determine the media used. Right click 3. the job and select properties. Expand the device and media Information section and look at "All media 4. used". 5. Jobs run from Friday night to Monday morning for a complete backup set of all sites, select the media 6. from all of the following jobs for the target date: 7. Friday – Monday AM 8. Make a list of the media used, usually 3 to 6 tapes. Remove Tapes: To export the media used in the jobs listed above, see Backup Tapes- Removing offsite tapes

10 | P a g e

Workforce Alliance


Backup Tapes -Removing offsite tapes Removing tapes for offsite backup from the i500 Quantum library: 1. You must create a job to export media from Backup Exec and the robotic library. 2. Logon to beets and open Backup Exec. 3. On the navigation bar, click Devices. 4. Select the robotic library, TAPE001 or TAPE002. 5. Tape002 is for the san and all VMware servers. 6. Tape001 is for everything else. 7. Click Slots. 8. On the results pane, select the tape numbers you want to export. 9. Under Media tasks in the task pane, select Export media. 10. Enter a job name. 11. Click options. 12. Select Keep Data Infinitely-Do Not Allow Overwrite as the media vault. 13. Click ok and run the job. 14. Media is moved to the Import/Export portal on the robotic library. 15. Remove the tapes from the robotic library. 16. Click the media tab. 17. Click the Keep Data for 5 weeks Media set. 18. Select all the media exported. 19. Right click and select associate with media set. 20. Select the offsite set and click yes. Restore a File: Connect to the backup server: 1. Logon to beets. 2. Start Symantec Backup Exec 2012. 3. Click the storage tab. 4. Click on restore. Select files or folders: 1. Click the view by resource tab. 2. Expand the selections under the server with the missing file{s): 3. Select the most recent backup or the date required and expand the contents. 4. Navigate to the missing files or folders. 5. If there are no objects, go to the next oldest backup set {Since the backups are differentia I there are no files if there were no changes during that period.) 7. Repeat if necessary to find the last version of the file. 8. In the window on the right, select the files or folders. Run the restore job: 1. At the bottom, click the run now button. 2. In the job summary window, click ok. 3. Click ok in any filter warning dialog boxes. 4. Click the job monitor tab. 5. The restore job should be active.

11 | P a g e

Workforce Alliance


Verify the restore: 1. Verify the job completes successfully. 2. Navigate to the path of the missing files or folders and verify the file was restored. 3. Close Backup Exec and log off beets.

12 | P a g e

Workforce Alliance


Backup Tapes –Adding Adding tapes on the i500 Quantum backup: YOU MUST BARCODE THE TAPES BEFORE INSERTING THEM IN THE TAPE LIBRARY. 1. Logon: admin 2. Password: passwo•rd 3. Open the portal door on the right side of the iSOO. 4. Insert tapes for 1 partition at a time (partitions are sanOl or networkOl). 5. You cannot import the cartridges until you assign them to a partition from the front panel. Once you assign the partition you can import from the front panel or web interface. 7. After inserting the tapes follow on-screen instructions and choose the destination partition. Login 8. credentials are admin/password. Tapes will not show up in the web interface until you select the 9. destination from the control panel. 10. Press the operations tab and choose media import. 11. Select the partition. Check the tapes to import and click apply. 12. Click logout. Import the Media in Backup Exec (BE). 1. Logon to beets and start BE. 2. Go to devices, select robotic library, slots. 3. Click empty slot, under media tasks, click scan. 4. Click slot, under media tasks/ select import media. 5. In the job settings, options/ select auto-inventory after import is completed. Click ok. This forces a Read of the media and changes the type from unknown to blank/ and associates with the scratch media set. 7. (To Inventory media separately in BE > devices> Robotic librarys > slots > right click slot and Click inventory. Set Media Properties: 1. To set media properties/ go to media view, right click tape, choose properties, general tab/ media

type, 2. choose LTO/ for subtype choose LTO.

13 | P a g e

Workforce Alliance


Erasing and deleting B2D files To erase a backup to disk file: 1. Logon to the backup server beets. 2. Open Symantec backup exec 2012 for Windows Servers 3. Click the storage tab. 4. Expand the Backup-to-disk devices. 5. Click Slots 6. In the media list, right click the media to erase. 7. Select erase. 8. The file is moved to scratch media. To remove (delete) the B2D file: 1. Make a note of the file number to delete. 2. Click the media tab. 3. Click on scratch media. 4. In the media list, right click the media and select Associate with media set. 5. In associate with, choose retired media. 6. Click retired media. 7. Right click the media and choose delete. 8. Go to my computer, drive D:. 9. Navigate to one of the 3 b2d folders, _Remote_Servers_BB (BG, or Fern). 10. Find the file number noted above and erase the B2D files in the folder.

14 | P a g e

Workforce Alliance


Monday Tuesday Wednesday Thursday Friday Saturday Sunday

6a Tape001 SQL

Iinked jobs: PT

and HQ data +

log incremental

6a Tape001 SQL

linked jobs: PT and

HQ data+ logs.

incremental

6a Tape001 SQL

linked jobs: PT

and HQ data+

logs. incremental

6a Tape001 SQL

linked jobs: PT and

HQ data·+ logs.

incremental

6a Tape001

SQL linked

jobs: PT and

HQ data+

logs FULL

Sharepoint Farm Full

Backup

5pm-

Finished

MIPSERVER Backup

Full – 4pm-Finished

5pm TAPE0011

Sharepoint and

Masters incremental

daily.

5pm Tape001

Sharepoint and

Masters incremental

daily.

5pmTAPE001

Sharepoint and

Masters incremental daily.

5pm Tape001

Sharepoint and

Masters incremental

daily.

5pm Tape001

Sharepoint

and Masters

incremental

daily.

5p- F i

nished

Remote

sites and

local

incremental

5p- F i nished

Remote sites

and local

incremental

5p- F i

nished

Remote

sites and

local

incremental

5p- F i nished

Remote sites

and local

incremental

5p- F i nished

Remote sites

and local Full

BB,hq,bg,pt

4p Netappprod1

NDMP Full 7pm-

Finish

15 | P a g e

Workforce Alliance


Systems Documentation Inventory and Policy

The subheading Systems Documentation contains the procedures for recording the acquisition of new resources and maintaining the inventory of existing equipment and materials. All new acquisitions will be classified as either consumable or durable. Supplies are items classified as consumable such as recordable media, toner, ink cartridges, paper, RJ45, and CAT5 cable. Durable items are divided into hardware (equipment) or software and licenses. When a shipment is received the items will be examined for damage and marked off the packing list, which will be initialed and dated. The packing list will be attached to the corresponding purchase order. Any damaged, missing, backordered, or extra items are to be noted and the vendor is to be contacted promptly. Supplies

Ink cartridges: are the responsibility of the individual user

Toner: 1 set should be in stock for every four printers of that model

Drums, Imaging Units, etc: 1 will be in stock if there are four or more printers of that model on campus

Recordable Media: will be reordered when the following minimum levels in stock are reached o CD-R: 25 o CD-RW: 5 o DVD-/+R: 5 o Data Tapes: 2/drive

Cabling Supplies: will be reordered when the following minimum levels in stock are reached o RJ45: 30 o Jacks: 5 o CAT5 Patch Cable: 10 o CAT5e: 300’ (should be plenum)

Other Supplies: minimum levels will be established by the Director of Information Technology

Workforce Alliance staff members may request supplies from the IT Resource Center. Hardware All hardware/equipment will be given an orange Workforce Alliance ID Tag with a unique number. Unauthorized removal or modification of a tag is strictly forbidden

16 | P a g e

Workforce Alliance


Inventory Database

All hardware/software will be recorded into the Workforce Alliance IT Inventory Database. Certain component items will be listed together as a single unit, such as a PC. A PC includes the hard drive, RAM, other internal components, along with a keyboard and mouse. The IT Inventory Database will utilize the following field (if applicable) for each record:

Workforce Alliance ID #

Description

Purchase Order #

Manufacturer

Model #

Serial #

IP address (if static) – Optional

MAC Address - Optional

Network Name - Optional

Physical Location

User’s Name

Processor/CPU speed and type

RAM - Optional

Hard Drive

Internal Drives (CD, DVD, etc) - Optional

Graphics Card - Optional

Sound Card - Optional

Modem - Optional

Keyboard and Mouse - Optional

Screen size and type - Optional

Available ports or outlets - Optional

Available slots - Optional

Available bays - Optional

Date salvaged Software All software and licenses will be inventoried using the database; in addition a hard copy record will be maintained in a fireproof cabinet or offsite. Software will be tagged or assigned a Workforce Alliance ID number. Software will be categorized as a box license; site licensed, or network versions (including CAL) along with whether the seats are concurrent or static. The following fields will be used in the IT Inventory Database for each record (if applicable):

Description/Title

Version

Publisher

Serial #

Product ID #

Purchase Order #

17 | P a g e

Workforce Alliance


License Type

Number of Licenses/Classification

License #

Key Code

Workforce Alliance ID # (where it is installed)

IT Inventory Database

Any new acquisitions classified as hardware or software will be entered into the database

prior to its allocation. Any modification to a PC, network appliance or device or any

supported system must be documented in the IT Inventory Database. The staff member making the alterations, including the installation of software or relocating the device must be

authorized by the Director of Information Technology, or properly designated

representative. Items designated as salvage/surplus by the Director of Information

Technology will be noted in the database, listing the date the item is removed from

inventory.

18 | P a g e

Workforce Alliance


Network Structure

The subheading Network Structure elaborates on the basic information supplied in the IT

Department Polices (p. 8-9) concerning the design, implementation, maintenance, and

utilization of the information networks at Workforce Alliance. The basic structure of the computer network

at Workforce Alliance will be a client/server domain controller on a Fast Ethernet network running TCP/IP.

Physical Structure/Layers 1-2

The primary media used for vertical drops will be CAT5e or higher cable with RJ45 or

Keystone Jacks for terminations. Patch panels and keystone jacks will be wired using the T568B standard. 802.11(x) will be used for wireless networking when and where appropriate. Additional information on wireless network structure will be located under subheading

Wireless Network of the IT Operational Procedures. Horizontal runs between the NOC and

the primary IDF locations will utilize fiber optic cable with a minimum rating 1 gigabit.

Horizontal runs from a primary IDF to a local switch will utilize CAT5e or higher cable. All switches will be rated at 100 megabit or higher, with new acquisitions being VLAN capable.

Protocols

Workforce Alliance’s computer network will use TCP/IP as the primary protocol. TCP/IP addresses will be

assigned to servers, network appliances (switches, etc.), network printers, and other devices designated by the

Director of Information Technology. The TCP/IP addresses used will be one of the

private sets reserved for private networks. The Director of Information Technology will assign internal

addresses utilizing the following scheme:

Servers and Network Devices: 192.168.x.xxx

IP Telephony Devices: 192.168.x.xxx

Workstations: 192.168.x-.xxx (generally set by DHCP)

The Director of Information Technology will assign all public TCP/IP addresses to the appropriate

devices (such as the Web and E-mail servers) using those numbers assigned to Workforce Alliance by the

Internet Service Provider (ISP). Windstream

Primary Domain Controller Server

The Primary Domain Controller will be the server that administers and controls the Workforce Alliance

domain. This server will control the permissions for the network and network devices, allowing access according to the rights assigned to each user. All users must log onto this server to obtain access to Workforce Alliance’s network. All passwords will be stored on this server,

eliminating the security risks of keeping passwords on individual workstations. The Primary Domain

Controller will be located in a physically secure area and password protected. Electronic access to this server

will be limited to the IT Department and the Director. Under special circumstances the Director may give

temporary authorization to another IT staff member.

Main and Intermediate Distribution Facilities

The primary Network Operation Center (NOC) located at 1951 N. Military Trail, West Palm Beach, will be

located in a secure area with restricted access. The Director will allocate keys for the NOC to IT staff and

the Facilities Manager and other authorized personnel. The NOC will house the POP (Point of Presence)

for the telecommunication and Internet connections, in addition to the primary server bank. The NOC is

19 | P a g e

Workforce Alliance


the center hub of the extended star network topology; all fiber optic horizontal runs terminate on the central

switch.

Servers The primary domain controller and most other servers will be located in the NOC. . Workforce Alliance will maintain 33 for the support of all four (4) Workforce Alliance sites. The servers will provide the following applications and TCP/IP protocols as needed to support all centers.

Authentication

DHCP

Proxy/Firewall

IP Telephony

E-mail

Web

Staff Files

Business Applications

VSphere 5 Virtual Host

NetAPP SAN (Storage Area Networks)

Disaster Recover Vsphere 5 and NetAPP SAN equipment at EOC Building

The Administrator passwords for the network and servers will be set and maintained by the

IT Department. The list of passwords will be documented and stored in a

file in the IT Department’s lockable fireproof cabinet. The same procedure will be followed

in regards to the administrative password for all workstations and devices at Workforce Alliance.

Telephone and Internet Connections

Workforce Alliance will maintains four (4) telephone system with one system located at each site. They are

interconnected to work as one telephonic system. For Internet connectivity 100 Megabyte circuit is in place. Three (3) sites connect to 1951 N. Military trail through their own 10 Megabyte MPLS circuit.

20 | P a g e

Workforce Alliance


Network Access

The subheading Network Access contains the procedures for new and existing employee’s access to network resources. New users (or existing users who need to make changes) must follow these procedures to be issued a(n): user name, initial password,

roaming profile, home directory, and their Workforce Alliance email account. Access to specific components

or programs on the network, in addition to security levels will be

assigned through the procedures established herein. Workforce Alliance maintains the ownership of all user

accounts along with rights to monitor and access the information therein.

As stated in the IT Department Policies (p. 9), the employee must complete, sign, and submits forms with the HR Department called a security agreement form. The IT Department will create a unique user name, initial network password, roaming profile, and home directory for the employee. The employee will also be given access to a Workforce Alliance email account with the same user name as for accessing the network, with an address of [email protected].

For more information on email see subheading E-Mail Use. In certain instances the employee may also be

given to a positional email account such as:

[email protected] if needed when working on special projects with staff or the IT Department.

If a new employee (or existing employee needs to modify) needs additional network access

for restricted resources, he or she needs to complete a security form with their request. Restricted resources

include any software platforms, databases, or other resources that have security levels, additional password

requirements, or information that contains sensitive materials (as proscribed by the administration of

Workforce Alliance). Once the employee completes form it must be submitted to their immediate supervisor

for approval. After the supervisor reviews the application and signs the form it is then forwarded to the

Director of Information Technology to receive final approval. The Director of Information Technology has

three working days to approve or deny the request. If denied he/she will notify, with an explanation, the

applicant. If approved the following process will occur:

The Director will complete or assign an IT staff member to complete the proper access, passwords,

user name, etc. for the employee making the request. This will be completed within a reasonable time

period.

An IT staff member will contact the employee to provide an orientation/training on the network

resources that are being made available. This will include information on the appropriate policies and

procedures that govern use of the college’s resources. During this orientation the employee will be

given the access and security level that were approved.

In the case of new employees the department head or area supervisor may initiate the request

process. However, the user name, passwords, or other security codes will not be given to the

employee before the employee signs, dates, and submits the appropriate forms to the Director of Information Technology or IT staff member.

Internet access for workshops can be handled through the normal processes stated

Issues involving the access and use of a wireless network will be located under subheading

mailto:[email protected]


21 | P a g e

Workforce Alliance


Network Security

The subheading Network Security contains the procedures for providing the highest level of

security for the Workforce Alliance network while maintaining a high degree of usability. All network users

and staff must complete, sign at hire from the HR Department which are then directed via email to the

Director of Information Technology (see subheading Network Access). Upon approval by the Director the

Technology (or authorized personnel) will, within three working days, create a unique user name, initial

network password, roaming profile, and home directory for the employee. The employee will also be given

access to a Workforce Alliance email account. If access to restricted applications or specific components of

such programs is required the user must complete and submit a form as outlined in subheading Network

Access. Issues pertaining to the security of the operation of a wireless network will be located under

subheading Wireless Network of the IT Operational Procedures.

User Names and Passwords

The following procedure will be adhered to in regards to the creation/issuing of user names and passwords unless specifically altered by the Director. Employee user names will be the

first initial of the person’s first name along with the last name. The Director of Information Technology (or

designated representative) will assign the default passwords and the user will be required to change the

password on the initial login.

Passwords are case sensitive and must be a minimum of 8 characters

Staff passwords must be changed at a minimum of once every 45 days

IT personnel and other users with administrative rights must change their password a minimum of

once/month

The same password may not be used twice in a row

The person assigned to a particular user name is responsible for its use, therefore it cannot be

shared with other individuals or groups

o Violations must be reported to the Director

The Administrator password for a workstation or device will be designated by the Director

o This password will be recorded in a secure cabinet in the IT Directors Office

o Only the Director of Information Technology and those staff members authorized by the

Director will have access to the password(s)

The Administrator password for the Workforce Alliance network will be designated by the Director

of Information Technology

o This password will be recorded in a secure cabinet in the IT Office

o Only the Director and upper management along with authorized personnel will have access

to the password(s)

All staff user names will be given restricted privileges on the network and individual workstations by default

o The Director may authorize higher levels of access for IT staff members and other users under special circumstances

o Users may request high access levels by following the procedure outlined in subheading o Network Access

22 | P a g e

Workforce Alliance


Firewalls and Virus Protection The IT Department will maintain a proxy server and/or a network firewall protecting the Workforce Alliance’s four (4) sites from outside intrusion. No server, workstation, or other network device

will be assigned a public IP address without the prior approval of the Director of Information Technology.

The IT Director will assign public IP addresses from those assigned to Workforce Alliance by the ISP. Any

device with a public IP address must have a firewall protecting it from outside intrusions. Any successful or

even a persistent attempt to breach the Workforce Alliance systems must be reported to the Director

promptly. Any attempt by a Workforce Alliance network user to intentionally breach or bypass a

secure/restricted system without authorization will result in loss of network privileges. The Director will

report such occurrences to the CEO/President of Workforce Alliance, or designate representative, for

additional actions (such as suspension or termination, or even possible legal action).

The IT Department will maintain virus protection on the email smart host to scan incoming messages, and

on all other servers, workstations, and appropriate network devices. To limit possible routes of infection the

preferred method of data transfer from the outside to systems on our network will be through email

attachments. Staff members are allowed to use removable disk media or other portable storage devices such

as USB key drives. Before transferring data onto the Workforce Alliance system data must be scanned using

an up-to-date virus protection program. Employees are not allowed to use portable storage devices or

recordable disks on Workforce Alliance equipment without having a staff member scan the data for viruses.

In the case of CD-R or similar DVD format the staff member may initial the disk after the scan thus ypassing

this step in the future. Under certain circumstances a staff member may be authorized to perform his or her

own virus scans by the Director.

Suspicious email/attachments/files should not be opened and must be reported to an IT staff member. Any computer/network problems that may be due to virus or other outside intrusion likewise need to be reported promptly to an IT staff member. These reports will be forwarded

to the Director of Information Technology for further investigation and action.

Affected devices maybe removed from the network by any IT staff member to halt the

transmission of the infection or intrusion until the Director, or a designated representative gives authorization to reconnect the device. Infecting, or transmitting a virus, worm, other malicious code or “spam” on or from Workforce Alliance equipment is strictly prohibited, and must be

reported to the Director. In cases of gross negligence or intentional violations of this policy the Director will

report the occurrence(s) to the President of Workforce Alliance, or designate representative, for additional

actions (such as suspension or termination, or even possible legal action).

Internal Security of the Workforce Alliance

To protect the overall security of the LAN individual user will only have restricted rights on the workstation

they use, unless authorized by the Director (see Network Access). The purpose for this is to limit the ability

to download and install harmful programs or code. It also limits the capabilities to inadvertently change

settings that could adversely affect the performance of an application, workstation, or the overall network.

Incorrectly setting an IP address for example could halt the operation of the telephony system. No user,

other than IT personnel designated by the Director, will have administrative rights on any computer other than the station assigned (i.e. their office computer). The Director may authorize special access for academic purposes in classrooms where a particular application’s use requires a higher level of rights.

23 | P a g e

Workforce Alliance


All downloads (see forms section) or the installation of programs onto any system at Workforce Alliance

requires the adherence to the proper policies and procedures as outlined in this manual. The Director, or

properly designated representative, will approve or deny authorization on a case-to-case basis depended on

issues of resources, licensing agreements, and security.

The security of servers, along with the data stored upon them, is the primary responsibility of the Director of Information Technology. Servers must be maintained in a secure lockable area with access limited to IT Staff and others specifically authorized by the Director. Data residing on 33 servers will be backed up on a regular basis to a robotic backup system located at the main office at 1951 N. Military Trail, West Palm Beach, and replicated to the other sites to include Belle Glade and Boca Raton. In addition, beginning the week of October 15-19, a complete replica of Workforce Alliance 33 servers, data will be replicated to the EOC category 5 building as a DR (disaster recovery) site in the event of a major disaster.. Systems or files designated as critical by the Director or the President will be backed up using the same

procedure a minimum of every working day. Archiving of email to a removable storage media will depend

on its nature. However, for critical systems/files a weekly schedule for archiving will be the minimum.

Archived media will be stored in a lockable fireproof storage unit. Access will be limited to others specifically

authorized by the Director of Information Technology.

Security of individual workstations and the data stored upon them is the primary

responsibility of the assigned user. When the area is open to public the individual user should

lock their computer and/or use a password protected screensaver when logged on to the

system. When a user will be absent from their station for an extended period of time it is recommended that they shut down the system or log off. If using a common area computer a

user must log off the system before leaving.

24 | P a g e

Workforce Alliance


Internet Use

The subheading Internet Use contains the procedures governing staff access and use of the Internet. This procedure also establishes guidelines on how Workforce Alliance connects to the Internet.

As stated in the IT Department Policies (p. 9), the employee must complete, sign, and submit security agreement form from HR and submitted to the Director of Information Technology. Upon approval, the IT Staff (or authorized personnel) will create a unique user name, initial network

password, roaming profile, and home directory for the employee (see Network Access). No one is allowed access to the Internet using Workforce Alliance equipment without completing this form from HR. Exceptions will be made for special workshops or events with the approval of the Director of Technology. Additional Internet access would include any ability to download files of the Internet using FTP or related protocols or plug-ins not normally provided to employees, or passwords to restricted web sites (as proscribed by the administration of Workforce Alliance). Once the employee completes a security agreement it must be submitted to the department head or area supervisor for approval. After the supervisor reviews the application and signs the form it will be forwarded to the Director of Information Technology to receive final approval. The Director of Information Technology has three working days to approve or deny the request. If denied he/she will notify, with an explanation, the applicant. If approved, the following process will occur:

The Director will contact IT Staff to establish the proper access, passwords, user name, etc. for the employee making the request. This will be completed in three working days.

An IT staff member will contact the employee to provide an orientation/training on the Internet resources that are being made available. This will include information on the appropriate policies and procedures that govern their use. During this orientation the employee will be given the access and security level that were approved.

In the case of new employees, the department head or area supervisor may initiate the request process. However, the user name, passwords, or other security codes will not be given to the employee before the employee signs, dates, and submits the security agreement to the Director of Information Technology. Internet access for workshops and for the public library computers can be handled in a separate manner These stations will log into the network using a special user name with restricted access levels. Software or other blocking devices maybe used on these stations that restrict web surfing beyond the normal levels prescribed at Workforce Alliance. Monitoring the use of the public stations in the Resource Rooms will be governed by policies and procedures established by the manager of Workforce Alliance administration. Other aspects of these workstations will still be under the governance of the IT Department. Internet access for workshops can be handled through the normal processes stated above, or in special instances where this procedure is deemed unnecessarily cumbersome; the following procedure may be substituted. This would be in the case of a single day workshop whose participants are primarily not staff, and are unlikely to need access to the Workforce Alliance network again in the foreseeable future. Under these or similar circumstances the organizer of the workshop or event may request an exemption from the Director of Information Technology by completing and submitting security agreement form, at least three (preferably five) working days prior to the event. If approved, the Director of Information Technology or authorized IT Staff will create a special user name and password, along with the appropriate network access and resources to be used by the organizer of the event. These will be removed from the system within five working days after the end of the event. The organizer will be responsible for ensuring that the

25 | P a g e

Workforce Alliance


participants of the event follow the appropriate policies and procedures governing use of the network and Internet at Workforce Alliance. The Director of Information Technology has the primary responsibility for the establishment, maintenance, and regulation of the Internet at Workforce Alliance. He or she may delegate these roles, in part, by designating an IT staff member as the web master (etc.), with the consent of the Director of Information Technology. The following are general guidelines regarding the Internet at Workforce Alliance:

The Proxy Server will control Internet traffic between the LAN and the WAN, unless specially approved by the Director.

A log of Internet traffic will be maintained by the Director of Information Technology or assigned staff, and will be periodically reviewed for inappropriate use. The log will be archived for a minimum of 14 days before being deleted.

Known or suspected use of the Internet that is inappropriate is to be reported promptly to the Director of Information Technology and appropriate blocks of internet sites will be made. Inappropriate use includes, but not necessarily limited to: 1. Downloading, storing, or printing files or messages that are profane, obscene, or that use

language or images that offends or tends to degrade others. 2. Violating copyright laws 3. Using Workforce Alliance resources for commercial or financial gain without administration

approval. 4. Vandalizing data of others, damaging equipment or gaining unauthorized access to resource

or invasion of privacy 5. Using other people’s accounts, posting personal communications without the original

author's consent 6. Wastefully using finite resources, including the unsanctioned use of Internet radio or

streaming video (permission must be granted by Director of Information Technology or an officially designated representative).

Inappropriate use of the Internet at Workforce Alliance could result in the termination or restriction of the user’s accounts, in addition to other penalties established by the administration of the college.

To maintain acceptable bandwidth, the Director of Information Technology will establish a point system to calculate typical and high traffic usage rates.

The Director of Information Technology or designated representative will maintain a reasonable level of security, including proxy settings and/or firewalls, against outside intrusions. Virus, spam, and other appropriate protections will be maintained at reasonable levels. The Director of Information Technology will be notified of breaches, and be given periodic assessments on the security status along with any suggested or required upgrades.

The Database Administrator or designated representative will establish, maintain, and upgrade the Workforce Alliance web site. He or she will establish guidelines for the format and content of all web sites hosted on any domain owned or controlled by the college.

The Director of Information Technology or designated representative is

responsible or the establishment, maintenance, removal, and allocation of

all domains, IP addresses, bandwidth, and related items owned or

controlled by Workforce Alliance

26 | P a g e

Workforce Alliance


E-Mail Use

The subheading E-Mail Use contains the procedures governing establishment and use of staff e-mail

accounts provided by Workforce Alliance. As stated in the IT Department Policies, the employee or signs a usage policy from HR upon hire. Upon approval, the IT Director or (or authorized IT personnel) will, within three working days, create a unique user name, initial network password, roaming profile, and home

directory for the employee (see Network Access). At this time the user will also be assigned an email account.. The status of the person requesting the account will determine what domain will be used, the format of the user name, the default password, and storage spaced allotted. The Director of Technology under special circumstances will consider exceptions.

Workforce Alliance Administrative Offices

The account will be created on the PBCAlliance.com domain

User name will be the first initial of the first name and the full last name, for example John Doe would be [email protected]

The default password for a new staff member will be “first”. After first login, the new employee will be prompted to enter their own complex password

Default storage space will be limited to 500MB Workforce Alliance Staff at remote sites


User name will be the first initial of the first name and the full last name, for example John Doe would be [email protected]


Default storage space will be limited to 250MB Public Group Addresses


User name will be the first initial of the first name and the full last name, for example John Doe would be [email protected] which will be an Exchange Distribution Group with special staff members added as recipients to the group.


Default storage space will be limited to 250MB The Director of Information Technology or a person officially designated as Postmaster, will establish and maintain an email server capable of hosting the domains listed above along with reserving the required number of public IP addresses. The Postmaster will perform the required system maintenance, including software updates, required upgrades to the hardware, virus protection, and other configurations as needed. Disk storage and reasonable bandwidth will be maintained at a minimum level for twice the total number of Workforce Alliance staff. In addition to ensuring adequate virus protection to the email server the Postmaster will make all reasonable efforts to eliminate spam from entering the system or originating from it.




27 | P a g e

Workforce Alliance


The Policies and Procedures of the Workforce Alliance IT Department govern all email accounts provided by Workforce Alliance. By accessing the account, the user is consenting to the provisions established by the Workforce Alliance HR Deparment.

28 | P a g e

Workforce Alliance


Requests for Service

The subheading Requests for Service details the procedures for differentiating between basic troubleshooting, emergency services, and regular service requests. Each of these different services has its own related procedures in regards to scheduling priorities, how service is rendered, and the reporting processes. In many circumstances, the decision of which procedure to use is left to the discretion of the IT staff member on the scene. Regular Service Requests: The preferred method of handling any service request is to have the individual asking for support to complete Form IT-B and submit it to the Director of Technology. The Director will then review the application and either approve or disapprove the request. This decision will be rendered in one or two working days under most circumstances.

If disapproved the Director will contact the individual making the request and explain why it was rejected, and suggest a possible solution to the problem.

If approved the Director will assign a priority level and service number to the application and will forward it to the appropriate IT personnel.

The IT staff member will then complete the request, or assign it to the An IT staff member. o Upon completion of the service request, the proper form must be dated and initialed by the

IT staff member and returned to the Director.

o The IT staff member completing the service request must also complete (if applicable) On-

line Ticket and submit it to the IT Department.

Priority levels will range from 1 (the highest) to 3 (the lowest). All the requests with a ranking of 1 must be completed before work can be start on those with a ranking of 2, and so on.

o The Director can reassign a ranking based on changing circumstances. o IT personnel may complete several related work requests of various priorities if it is more

efficient, such as fulfilling all open requests on a particular workstation.

Requests that involve changing or resetting user-names or passwords, or for creating a roaming profile/network drive require the completion and submission of security agreement form. Upon the receipt of the application the Director will proceed as if it was a regular service request.

A request for Internet downloads or software installation requires the completion and submission of an IT Ticket. Upon the receipt of the application the Director will proceed as if it was a regular service request.

Requests for changing access level/rights on the network or an individual workstation requires the

completion and submission of IT Ticket. Upon the receipt of the application the Director will proceed as if it was a regular service request.

A IT Ticket must accompany requests that require the purchase of hardware, software, or services not already available at the college.

29 | P a g e

Workforce Alliance


Basic Troubleshooting Service Requests: These requests deal with basic service of equipment or common application problems such as: not being able to access the network or related services, reconnecting a network drive path, a printer/copier being out of toner or staples, or a problem with a software application. Proper procedure in these cases is to contact the Director of Information Technology or the IT Staff.

The Director or the IT Staff member will note the occurrence on the weekly troubleshooting log, and at their earliest convenience the person on call will investigate the situation.

If possible the IT member will fix the problem and will then initial the entry on the weekly troubleshooting log.

The IT member will then complete and submit (if applicable) IT Ticket to the Director. Notes should be filed for reference in future troubleshooting cases.

o There are certain cases that do not require the completion and submission of work notes. If it is a basic and routine procedure such as someone had the caps lock on will typing in their password, or if the computer had been moved and the patch cable came out.

o IT Ticket must always be completed if a hardware component was replaced or if software needed to be installed.

If new hardware or software needs to be purchased to remedy the problem IT Ticket must be completed and submitted to the Director.

Emergency Service Requests: These are the highest priority service requests. Work will commence as soon as possible, even prior to the completion and submittal of the proper forms to the Director. The IT

staff member(s) completing the service must submit work notes and/or IT Ticket to the Director as in the

case of a basic troubleshooting service. Emergency services will be regulated to those systems designated as mission critical to the Workforce Alliance.

The following have currently been designated Mission Critical Systems o Network accounting applications o FX Scholar or Empower software o Telephone communications o Internet communications to Fastlane and online transactions o Instructional technology services o File and application servers

30 | P a g e

Workforce Alliance


Purchasing Procedure

All procurement of hardware, software, or technology services that will be part of or impact

the Workforce Alliance’s data or communications networks must be purchased

through the IT Department. The purpose of this process is to ensure compatibility of new

components with the existing infrastructure and to maximize the efficiency of our resources. The IT Department will only maintain and service equipment and software that was procured, allotted, and implemented in a manner consistent with the appropriate policies and

procedures.

The individual wishing to make a purchase must complete IT Ticket and submit it to the Director

of Information Technology.

o The form must have the signature of the appropriate departmental supervisor or grant

officer.

o The form must have the appropriate fund number and be an allowable expense.

o The exact item does not have to be listed, although a detail of features or capabilities that

are required should be included. For example, one would not have to list a HP 4550DN, but

rather just ask for a colored laser printer with a duplexer.

The Director will evaluate the request and determine if the product or service is already available, or

needs to be acquired from outside sources. The Director will either approve or deny the request in 3

working days (if feasible) with an explanation of why it was denied, if applicable.

o If approved the request will be processed by the IT Department.

o At least two approved vendors will be contacted for quotes.

o After choosing a vendor the Director (or authorized representative) will

o complete a Workforce Alliance Purchase/Check Request according to the appropriate

procedures of the college.

o Upon receiving approval from the Workforce Alliance headquarters the Director (or

authorized representative) will place the order with the vendor.

o Once the order is received it will be inventoried according to the IT Department’s policies

and procedures. Then the individual/program officer requesting the product/service will be

notified.

o The IT Department will keep one copy of all documents for their files.

31 | P a g e

Workforce Alliance


Organization of Information Security

Monitoring, recording and reporting information system and/or information security breaches

This document deals with the organization and management of information security within Workforce

Alliance

Internal organization

This section establishes a management framework to initiate and control the implementation of information security within Workforce Alliance. Consistent with, and complementary to, the information management policies and procedures adopted by Workforce Alliance management. Contacts with external security specialists or groups, including relevant authorities, are developed to keep up with industry trends, monitor standards and assessment methods and provide suitable liaison points when handling information security incidents.

Workforce Alliance commitment to information security The Workforce Alliance Director of Information Technology actively supports security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities. Workforce Alliance Director of Information Technology and the IT Staff is responsible for:

a. ensuring that information security goals are identified; b. formulating, reviewing, and approving information security policy; c. reviewing the effectiveness of the implementation of the information security policy; d. providing clear direction and visible management support for security initiatives; e. recognizing and the handling of security breaches of information systems; f. handling of disasters and the recovery from disasters; g. providing the resources needed for information security; h. approving assignment of specific roles and responsibilities for information security, to the extent

possible, across Workforce Alliance; i. initiating plans and programs to maintain information security awareness; and j. ensuring that, to the extent practical, the implementation of information security.

Information security co-ordination Information security co-ordination involves the co-operation and collaboration of the CEO, directors, managers, supervisors, users, remote administrators (i.e., EFM, OSST, DCF), application designers, auditors and security personnel specialists. This activity includes:

a. ensuring that security activities are executed in compliance with the Workforce Alliance information security policy;

b. identifying how to handle non-compliances or breaches; c. approving methodologies and processes for information security, e.g. risk d. assessment and information classification; e. identifying significant threat changes and exposure of information; f. information processing facilities to threats and breaches; g. assessing the adequacy and coordinating the implementation of information security controls;

32 | P a g e

Workforce Alliance


h. effectively promoting information security education, training and awareness throughout Workforce Alliance and among Workforce Alliance stakeholders;

i. evaluating information received from the monitoring and reviewing of information security incidents; and

j. recommend appropriate actions in response to identified information security incidents.

Authorization process for information processing facilities All Workforce Alliance offices need appropriate user management authorization, authorizing their purpose and use. Hardware and software are checked to ensure that they are compatible with other system components. The use of personal or privately owned information processing facilities, e.g. laptops, hand-held devices, for processing business information, may introduce new vulnerabilities and necessary controls are identified and implemented.

Confidentiality agreements Confidentiality and non-disclosure agreements protect organizational information and inform signatories of their responsibility to protect, use, and disclose information in a responsible and authorized manner. Requirements for confidentiality or non-disclosure agreements reflecting Workforce Alliance’s needs for the protection of information have been identified by the Workforce Alliance HR department at the time of employ and should regularly be reviewed. The Workforce Alliance’s non-disclosure agreements address the requirement to protect the confidentiality of information using legally enforceable terms. To identify requirements for the non-disclosure agreements, the following elements are considered:

a. a definition of the information to be protected (e.g. confidential information); b. expected duration of an agreement, including cases where confidentiality might need to be

maintained indefinitely; c. required actions when an agreement is terminated; d. responsibilities and actions of signatories to avoid unauthorized information disclosure (such as

‘need to know’); e. the permitted use of confidential information, and rights of the signatory to use f. information; g. the right to audit and monitor activities that involve confidential information; h. h. process for notification and reporting of unauthorized disclosure or confidential information

breaches; i. terms for information to be returned or destroyed at agreement cessation; and j. expected actions to be taken in case of a breach of this agreement.

Contact with authorities Workforce Alliance Management staff will develop procedures that specify when and by which authorities (e.g. law enforcement) are contacted, and how identified information security incidents are reported in a timely manner if it is suspected that laws may have been broken.

Contact with special interest groups with respect to information security a. The Director of Information Systems, IT Staff and other pertinent groups are established to

improve cooperation and coordination of security issues. Such agreements will identify requirements for the protection of sensitive information. Membership in special interest groups or forums are included as a means to:

i. improve knowledge about best practices and staying up to date with relevant security information;

33 | P a g e

Workforce Alliance


ii. ensure the understanding of the information security environment is current and complete; iii. receive early warnings of alerts, advisories, and patches pertaining to attacks and

vulnerabilities; iv. gain access to specialist information security advice; v. share and exchange information about new technologies, products, threats, or

vulnerabilities; and vi. provide suitable liaison points when dealing with information security incidents.

Independent review of information security The Workforce Alliance’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) Should be reviewed independently at planned intervals, or when significant changes to the security implementation occur.

Identification of risks related to external parties Sensitive information might be put at risk by external parties such as vendors working with inadequate security management. The risks to Workforce Alliance’s information from external parties needs to be identified and appropriate controls implemented before granting access. The identification of risks related to external party access will include the following:

a. the information processing facilities an external party is required to access; b. the type of access the external party will have to the information and information processing

facilities, e.g.: physical access, e.g. to offices, computer rooms, filing cabinets; logical access, e.g. to a Workforce Alliance’s databases, information systems;

c. network connectivity between Workforce Alliance’s and the external party’s d. network(s), e.g. permanent connection, remote access; e. whether the access is taking place on-site or off-site; f. the value and sensitivity of the information involved, and its criticality for business operations; g. the controls necessary to protect information that is not intended to be accessible by external

parties; h. the external party personnel involved in handling Workforce Alliance’s information; i. how the organization or personnel authorized to have access can be identified, the authorization

verified, and how often this needs to be reconfirmed; j. the different means and controls employed by the external party when storing, processing,

communicating, sharing and exchanging information; k. the impact of access not being available to the external party when required, and l. practices and procedures to deal with information security incidents and potential damages, and the

terms and conditions for the continuation of external party m. access in the case of an information security incident; n. legal and regulatory requirements and other contractual obligations relevant to the external party

that are taken into account; and o. how the interests of any other stakeholders may be affected by the arrangements.

Access by external parties to Workforce Alliance’s information will not be provided until the appropriate controls have been implemented and, where feasible, a contract has been signed defining the terms and conditions for the connection or access and the working arrangement. It are ensured that the external party is aware of their obligations, and accepts the responsibilities and liabilities involved in accessing, processing, communicating, or managing Workforce Alliance’s information.

34 | P a g e

Workforce Alliance


Inventory of Information System Assets All Workforce Alliance information system assets are clearly identified and an inventory of all assets drawn up and maintained by the Workforce Alliance IT Department. The asset inventory will include all information necessary in order to recover from a disaster, including type of asset, format, location, backup information, license information, and a business value. Based on the importance of the asset, its business value and its security classification, levels of protection commensurate with the importance of the assets are identified. There are many types of assets, including:

a. Physical and electronic information: databases and data files, contracts and agreements, system documentation, research information, user manuals, training material, operational or support procedures, business continuity plans, fallback arrangements, audit trails, and archived information;

b. software assets: application software, system software, development tools, and utilities; c. physical assets: computer equipment, communications equipment, removable media, and other

equipment; d. services: computing and communications services, general utilities, e.g. heating, lighting, power,

and air-conditioning; e. people, and their qualifications, skills, and experience; and f. intangibles, such as reputation and image of Workforce Alliance.

Information security awareness, education, and training All employees of Workforce Alliance and, where relevant, other users will receive appropriate awareness training and regular updates in Workforce Alliance policies and procedures, as relevant for their job function. Awareness training will commence with a formal induction process designed to introduce Workforce Alliance’s security policies and expectations before access to information or services is granted. Ongoing training will include security requirements, legal responsibilities and business controls, as well as training in the correct use of information processing facilities e.g. log-on procedure, use of software packages and information on the disciplinary process.

Disciplinary process There are a formal disciplinary process conducted by Workforce Alliance Human Resources department for employees who have committed a security breach. The disciplinary process will not be commenced without prior verification that a security breach has occurred. The formal disciplinary process will ensure correct and fair treatment for employees who are suspected of committing breaches of security. The formal disciplinary process will provide for a graduated response that takes into consideration factors such as the nature and gravity of the breach and its impact on business, whether or not this is a first or repeat offence, whether or not the violator was properly trained, relevant legislation, business contracts and other factors as required. In serious cases of misconduct the process will allow for instant removal of duties, access rights and privileges, and for immediate escorting out of the site, if necessary. The disciplinary process will also be used as a deterrent to prevent users in violating Workforce Alliance security policies and procedures, and any other security breaches.

Termination or change of employment

Responsibilities are in place by the Human Resources department and the IT Department of Workforce Alliance to ensure a user’s exit from Workforce Alliance is managed, and that the return of all equipment and the removal of all access rights are completed.

35 | P a g e

Workforce Alliance


Return of assets The termination process are formalized to include the return of all previously issued software, corporate documents, and computer equipment. Other Workforce Alliance assets such as mobile computing devices, access cards, software, manuals, and information stored on electronic media also will need to be returned. In cases where a user purchases the Workforce Alliance’s equipment or uses their own personal equipment, procedures are followed to ensure that all relevant information is transferred to Workforce Alliance.

Removal of access rights Upon termination, the access rights of a user to assets associated with information systems and services are reconsidered. This will determine whether it is necessary to remove access rights. Changes of employment are reflected in removal of all access rights that were not approved for the new employment. The access rights that are removed include physical and logical access, keys, identification cards, information processing facilities, subscriptions, and removal from any documentation that identifies them as a current member of Workforce Alliance. If a departing user has known passwords for accounts remaining active, these are changed upon termination or change of employment, contract or agreement. Access rights for information assets and information processing facilities are reduced or removed before the employment terminates or changes, depending on the evaluation of risk factors such as:

a. whether the termination or change is initiated by the user, or by management and the reason of termination;

b. the current responsibilities of the employee, contractor or any other user; and c. the value of the assets currently accessible.

36 | P a g e

Workforce Alliance


Physical and Environmental Security and Breaches

Secure areas

Critical or sensitive information processing facilities are housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. They are physically protected from unauthorized access, damage, and interference. The protection provided are commensurate with the identified risks.

Physical security perimeter The following are implemented where appropriate for physical security perimeters:

a. security perimeters are clearly defined, and the strength of each of the perimeters will depend on the security requirements of the assets within the perimeter and the results of a risk assessment;

b. perimeters of a building or site containing information processing facilities are physically sound (i.e. there are no gaps in the perimeter or areas where a break-in could easily occur); the external walls of the site are of solid construction and all external doors are suitably protected against unauthorized access with control mechanisms, e.g. computer racks, bars, alarms, locks etc; doors and windows are locked when unattended;

c. access to server rooms, sites and buildings are restricted to authorized personnel only;

Physical entry controls The following are implemented:

a. the date and time of entry and departure of visitors are recorded, and all visitors are supervised unless their access has been previously approved;

b. they will only be granted access for specific, authorized purposes and are issued with instructions on the security requirements of the area and on emergency procedures. access to areas where sensitive information is processed or stored are controlled and restricted to authorized persons only;

c. authentication controls, e.g. access control card plus PIN, are used to authorize and validate all access;

d. an audit trail of all access are securely maintained; e. all visitors are required to utilize some form identification to be

Computer Equipment security and breaches Equipment are protected from physical and environmental threats. Protection of equipment (including that used off-site, and the removal of property) is necessary to reduce the risk of unauthorized access to information and to protect against loss or damage. This will also consider equipment placement and disposal.

Equipment placement and protection Equipment are placed to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. The following are implemented to protect equipment:

a. equipment are placed to minimize unnecessary access into computer work areas;

37 | P a g e

Workforce Alliance


b. information processing facilities handling sensitive data are positioned and the viewing angle restricted to reduce the risk of information being viewed by unauthorized persons during their use, and storage facilities secured to avoid unauthorized access;

c. controls are adopted to minimize the risk of potential physical threats, e.g. theft, explosives, smoke, water, dust, vibration, electrical supply interference, communications interference, and vandalism;

d. guidelines for eating, drinking, and smoking in proximity to information processing facilities are established;

Supporting utilities Computer equipment and peripherals are protected from power failures and other disruptions caused by failures in supporting utilities. All supporting utilities, such as electricity, water supply, sewage, heating/ventilation, and air conditioning are adequate for the systems they are supporting. Support utilities are regularly inspected and as appropriate tested to ensure their proper functioning and to reduce any risk from their malfunction or failure. A suitable electrical supply are provided that conforms to the equipment manufacturer’s specifications. An uninterruptible power supply (UPS) to support orderly shut down or continuous running of computer systems are used for equipment supporting critical business operations. Power contingency plans will cover the action to be taken on failure of the UPS. UPS equipment are regularly checked to ensure it has adequate capacity and is tested in accordance with the manufacturer’s recommendations. The water supply are stable and adequate to supply air conditioning, humidification equipment and fire suppression systems (where used).

Cabling security a. Power and telecommunications cabling carrying data or supporting information services are

protected from interception or damage. The following are implemented for cabling security: b. power cables are segregated from communications cables to prevent interference; c. clearly identifiable cable and equipment markings are used to minimize handling errors, such as

accidental patching of wrong network cables; and a documented patch list are used to reduce the possibility of errors.

Computer Equipment maintenance Computer equipment are correctly maintained to ensure its continued availability and integrity. The following are implemented for equipment maintenance:

a. equipment are maintained in accordance with the supplier’s recommended service intervals and specifications;

b. only authorized maintenance personnel will carry out repairs and service equipment;

c. records are kept of all suspected or actual faults, and all preventive and corrective maintenance; d. appropriate controls are implemented when computer equipment is scheduled for maintenance,

taking into account whether this maintenance is performed by personnel on site or external to Workforce Alliance

Security of computer equipment off-premises Security are applied to off-site equipment. Regardless of ownership, the use of any information processing equipment outside Workforce Alliance’s premises will need to be authorized by management. The following are implemented for the protection of offsite equipment:

a. equipment and media taken off the premises will not be left unattended in public places; b. portable computers are carried as hand luggage when traveling; c. manufacturers’ instructions for protecting equipment are observed at all times;

38 | P a g e

Workforce Alliance


d. home-working controls are determined by a risk assessment and suitable controls applied as appropriate; and

e. adequate insurance cover are in place to protect equipment off-site.

Secure disposal or re-use of equipment All computer related items containing storage media are checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal. Devices containing sensitive information are physically destroyed or the information are destroyed, deleted or overwritten using techniques to make the original information non-retrievable rather than using the standard delete or format function. Damaged devices containing sensitive data will require a risk assessment to determine whether the items are physically destroyed rather than sent for repair or discarded.

Removal of property Equipment, information or software will not be taken off-site without prior authorization. The following are implemented:

a. equipment, information or software will not be taken off-site without prior authorization; b. users who have authority to permit off-site removal of assets are clearly identified; c. time limits for equipment removal are set and returns checked for compliance; and d. equipment are recorded as being removed off-site and recorded when returned.

Documented operating procedures Workforce Alliance computer operating procedures are documented, maintained, and made available to all IT staff and located on the Workforce Alliance Intranet site and can be made available to users who need them. Documented procedures are prepared for system activities associated with information processing and communication facilities, such as computer start-up and close-down procedures, backup, equipment maintenance, media handling, computer room and mail handling management, and safety. The operating procedures will specify the instructions for the detailed execution of each job including:

a. processing and handling of information; b. backup; c. scheduling requirements, including interdependencies with other systems, earliest job start and

latest job completion times; d. instructions for handling errors or other exceptional conditions, which might arise during job

execution, including restrictions on the use of system utilities; e. support contacts in the event of unexpected operational or technical difficulties; f. system restart and recovery procedures; and g. the management of audit-trail and system log information.

Change management Operational systems and application software are subject to strict change management control. The following are implemented:

a. identification and recording of significant computer network changes; b. planning and testing of changes; c. assessment of the potential impacts, including security breach impacts, of such changes; d. formal approval procedure for proposed changes; e. communication of change details to all relevant persons; f. fallback procedures, including procedures and responsibilities for aborting and recovering from

unsuccessful changes and unforeseen events.

39 | P a g e

Workforce Alliance


Formal computer management responsibilities and procedures are in place to ensure satisfactory control of all changes to equipment, software or procedures. When changes are made, an audit log containing all relevant information are retained. Changes to operational systems will only be made when there is a valid business reason to do so, such as an increase in the risk to the system. Updating systems with the latest versions of operating system or application is not always in the business interest as this could introduce more vulnerabilities and instability than the current version. There may also be a need for additional training, license costs, support, maintenance and administration overhead, and new hardware especially during migration.

Separation of development systems from production systems Development, test, and operational facilities are separated to reduce the risks of unauthorized access or changes to the operational system. In particular, the following items are considered:

a. rules for the transfer of software from development to operational status are defined and documented;

b. development and operational software will run on different systems or computer processors and in different domains or directories;

c. compilers, editors, and other development tools or system utilities will not be accessible from operational systems when not required;

d. the test system environment will emulate the operational system environment as closely as possible; e. users will use different user profiles for operational and test systems, and menus will display

appropriate identification messages to reduce the risk of error; and f. sensitive data will not be copied into the test system environment.

Third party service delivery management

The Workforce Alliance will check the implementation of agreements, monitor compliance with the agreements and manage changes to ensure that the services delivered meet all requirements agreed with the third party.

Service delivery Workforce Alliance will ensure that the security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party. Service delivery by a third party will include the agreed security arrangements, service definitions, and aspects of service management. In case of outsourcing arrangements, Workforce Alliance will plan the necessary transitions (of information, information processing facilities, and anything else that needs to be moved), and will ensure that security is maintained throughout the transition period. The Workforce Alliance IT Department will ensure that the third party maintains sufficient service capability together with workable plans designed to ensure that agreed service continuity levels are maintained following major service failures or disaster.

Monitoring and review of vendors or (third party services) The services, reports and records provided by the third party are regularly monitored and reviewed, and audits are carried out regularly. Monitoring and review of third party services will ensure that the information security terms and conditions of the agreements are being adhered to, and that information security incidents and problems are managed properly. This will involve a service management relationship and process between Workforce Alliance and the third party to:

40 | P a g e

Workforce Alliance


a. monitor service performance levels to check adherence to the agreements; b. review service reports produced by the third party and arrange regular progress meetings as

required by the agreements; c. provide information about information security incidents and review of this information by the

third party and Workforce Alliance as required by the agreements and any supporting guidelines and procedures;

d. review third party audit trails and records of security events, operational problems, failures, tracing of faults and disruptions related to the service delivered; and

e. resolve and manage any identified problems.

System planning and acceptance

Advance planning and preparation are required to ensure the availability of adequate capacity and resources to deliver the required system performance. Projections of future capacity requirements are made, to reduce the risk of system overload. The operational requirements of new systems are established, documented, and tested prior to their acceptance and use.

Capacity management The use of resources are monitored, tuned, and projections made of future capacity requirements to ensure the required system performance.

System acceptance Acceptance criteria for new information systems, upgrades, and new versions are established and suitable tests of the system(s) carried out during development and prior to acceptance. The IT Deparment will ensure that the requirements and criteria for acceptance of new systems are clearly defined, agreed, documented, and tested. New information systems, upgrades, and new versions will only be migrated into production after obtaining formal acceptance. The following items are considered prior to formal acceptance being provided:

a. performance and computer capacity requirements; b. error recovery and restart procedures, and contingency plans; c. preparation and testing of routine operating procedures to defined standards; d. agreed set of security controls in place; e. effective manual procedures; f. business continuity arrangements; g. evidence that installation of the new system will not adversely affect existing h. systems, particularly at peak processing times, such as month end; i. evidence that consideration has been given to the effect the new system has on the j. overall security of Workforce Alliance; k. training in the operation or use of new systems; and l. ease of use, as this affects user performance and avoids human error.

Monitoring and Protection against malicious and code Precautions are required to prevent and detect the introduction of malicious code. Software and information processing facilities are vulnerable to the introduction of malicious code, such as computer viruses, network worms, Trojan horses, and logic bombs. Users are made aware of the dangers of malicious code. Managers will introduce controls to prevent, detect, and remove malicious code and control mobile code.

41 | P a g e

Workforce Alliance


Controls against malicious code Detection, prevention, and recovery controls to protect against malicious code and appropriate hardware/software and user awareness are implemented. Protection against malicious code are based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls. The following are implemented:

a. establishing a formal policy prohibiting the use of unauthorized software; b. establishing a formal policy to protect against risks associated with obtaining files and software

either from or via external networks, or on any other medium, indicating what protective measures are taken;

c. conducting regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments are formally investigated;

d. installation and regular update of malicious code detection and repair software to scan computers and media as a precautionary control, or on a routine basis; the checks carried out will include:

e. checking any files on electronic or optical media, and files received over networks, for malicious code before use;

f. checking electronic mail attachments and downloads for malicious code before use; this check are carried out at different places, e.g. at electronic mail servers, desk top computers and when entering the network of Workforce Alliance; and checking web pages for malicious code;

g. defining management procedures and responsibilities to deal with malicious code protection on systems, training in their use, reporting and recovering from malicious code attacks;

h. preparing appropriate business continuity plans for recovering from malicious code attacks, including all necessary data and software back-up and recovery arrangements;

i. implementing procedures to regularly collect information, such as subscribing to mailing lists and/or checking web sites giving information about new malicious code; and

j. implementing procedures to verify information relating to malicious code, and ensure that warning bulletins are accurate and informative;

k. IT Department will ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malicious code, are used to differentiate between hoaxes and real malicious code; all users are made aware of the

l. problem of hoaxes and what to do on receipt of them.

Back-up Routine procedures are established to implement the agreed back-up policy and strategy for taking back-up copies of data and rehearsing their timely restoration.

Information back-up Back-up copies of information and software are taken and tested regularly in accordance with the agreed backup policy. Adequate back-up facilities are provided to ensure that all essential information and software can be recovered following a disaster or media failure. The following items for information back up are implemented:

a. the necessary level of back-up information are defined; b. accurate and complete records of the back-up copies and documented restoration procedures are

produced; c. the extent (e.g. full or differential backup) and frequency of backups will reflect the business

requirements of Workforce Alliance, the security requirements of the information involved, and the criticality of the information to the continued operation of Workforce Alliance;

42 | P a g e

Workforce Alliance


d. the back-ups are stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site;

e. back-up information are given an appropriate level of physical and environmental protection consistent with the standards applied at the main site;

f. the controls applied to media at the main site are extended to cover the backup site; g. back-up media are regularly tested to ensure that they can be relied upon for emergency use when

necessary; h. restoration procedures are regularly checked and tested to ensure that they are effective and that

they can be completed within the time allotted in the operational procedures for recovery; and i. in situations where confidentiality is of importance, back-ups are protected by means of encryption.

Network security management and Breaches

The secure management of networks, which may span Workforce Alliance boundaries, requires careful consideration to dataflow, legal implications, monitoring, and protection. Additional controls may also be required to protect sensitive information passing over public networks.

Network controls to protect against breaches Networks are adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. The Director of Information Technology has implemented controls to ensure the security of information in networks, and the protection of connected services from unauthorized access. In particular, the following items are implemented:

a. special controls are established to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks;

b. appropriate logging and monitoring are applied to enable recording of security relevant actions; and c. management activities are closely coordinated both to optimize the service to Workforce Alliance

and to ensure that controls are consistently applied across the information processing infrastructure.

Security and breaches of network services Network services include the provision of connections, private network services, and value added networks and managed network security solutions such as firewalls and intrusion detection systems. Security features, service levels, and management requirements of all network services are identified and included in any network services agreement, whether these services are provided in-house or outsourced. The ability of the network service provider to manage agreed services in a secure way are determined and regularly monitored, and the right to audit are agreed. The security arrangements necessary for particular services, such as security features, service levels, and management requirements, are identified. The Workforce Alliance IT Department will ensure that network service providers implement these measures.

Media handling

Media are controlled and physically protected by the Workforce Alliance IT Department. Appropriate operating procedures are established to protect documents, computer media (e.g. tapes, disks), input/output data and system documentation from unauthorized disclosure, modification, removal, and destruction.

Management of removable media

43 | P a g e

Workforce Alliance


Removable media include tapes, disks, flash disks, removable hard drives, CDs, DVDs, and printed media. There are procedures in place for the management of removable media. The following is implemented for the management of removable media:

a. if no longer required, the contents of any re-usable media are made unrecoverable; b. authorization are required for media removed from Workforce Alliance and a record of such

removals are kept in order to maintain an audit trail; and c. all media are stored in a safe, secure environment, in accordance with manufacturers’ specifications;

Disposal of media to prevent security breaches Formal procedures for the secure disposal of media will minimize the risk of sensitive information leakage to unauthorized persons. The procedures for secure disposal of media containing sensitive information are commensurate with the sensitivity of that information. The following items are implemented:

a. media containing sensitive information are stored and disposed of securely and safely; b. procedures are in place to identify the items that might require secure disposal; and c. disposal of sensitive items are logged in order to maintain an audit trail.

Security of system documentation System documentation are protected against unauthorized access. To secure system documentation, the following items are implemented:

a. system documentation are stored securely; and b. the access list for system documentation are kept to a minimum and authorized by the IT Director.

Electronic messaging and breaches Information involved in electronic messaging are appropriately protected. Security hardware/software and user considerations for electronic messaging will include the following:

a. protecting messages from unauthorized access, modification or denial of service; b. ensuring correct addressing and transportation of the message; c. general reliability and availability of the service; d. legal considerations, for example requirements for electronic signatures; e. stronger levels of authentication controlling access from publicly accessible networks.

Business information systems and breaches Policies and procedures are implemented to protect information associated with the interconnection of business information systems. Consideration given to the security and business implications of interconnecting such facilities will include:

a. known vulnerabilities in the administrative and accounting systems where information is shared between different parts of Workforce Alliance business systems;

b. vulnerabilities of information in business communication systems, e.g. recording phone calls or conference calls, confidentiality of calls, storage of facsimiles, opening mail, distribution of mail;

c. policy and appropriate controls to manage information sharing; d. excluding categories of sensitive business information and classified documents if the system does

not provide an appropriate level of protection; e. restricting access to diary information relating to selected individuals, e.g. personnel working on

sensitive projects; f. categories of personnel, contractors or business partners allowed to use the system and the

locations from which it may be accessed; g. restricting selected facilities to specific categories of user;

44 | P a g e

Workforce Alliance


h. retention and back-up of information held on the system; and i. fallback requirements and arrangements.

Electronic commerce services (on-line trasactions) The security implications associated with using electronic commerce services, including on-line transactions, and the requirements for controls, and are implemented

Electronic commerce (i.e., Workforce Alliance Summits) Information involved in electronic commerce passing over public networks are protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification. Security considerations for electronic commerce will include the following:

a. the level of confidence each party requires in each others claimed identity, e.g. through authentication;

b. authorization processes associated with who may set prices, issue or sign key trading documents; c. ensuring that trading partners are fully informed of their authorizations; d. determining and meeting requirements for confidentiality, integrity, proof of dispatch and receipt

of key documents, and the non-repudiation of contracts, e.g. associated with tendering and contract processes;

e. the confidentiality of any sensitive data or information; f. the confidentiality and integrity of any order transactions, payment information, delivery address

details, and confirmation of receipts;

Workforce Alliance Finance On-Line Transactions Security and Breaches Information involved in on-line transactions are protected to prevent incomplete transmission, routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. Security considerations for on-line transactions include the following:

a. the use of electronic signatures by each of the parties involved in the transaction; b. all aspects of the transaction, i.e. ensuring that user credentials of all parties are valid and verified; c. the transaction remains confidential; and privacy associated with all parties involved is retained; d. communications path between all involved parties is encrypted; e. protocols used to communicate between all involved parties is secured; f. ensuring that the storage of the transaction details are located outside of any public accessible

environment, e.g. on a storage platform existing on the Workforce Alliance’s Intranet, and not retained and exposed on a storage medium directly accessible from the Internet; and

g. where a trusted authority is used (e.g. for the purposes of issuing and maintaining digital signatures and/or digital certificates) security is integrated and embedded throughout the entire end-to-end certificate/signature management process.

Publicly available information (Workforce Alliance website) The integrity of information being made available on a publicly available system are protected to prevent unauthorized modification. Software, data, and other information requiring a high level of integrity, being made available on a publicly available system, are protected by appropriate mechanisms, e.g. digital signatures. The publicly accessible system are tested against weaknesses and failures prior to information being made available. There are a formal approval process before information is made publicly available. In addition, all input provided from the outside to the system are verified and approved. Electronic publishing systems, especially those that permit feedback and direct entering of information, are carefully controlled so that:

45 | P a g e

Workforce Alliance


a. information is obtained in compliance with any data protection legislation; b. information input to, and processed by, the publishing system are processed completely and

accurately in a timely manner; c. sensitive information are protected during collection, processing, and storage; and d. access to the publishing system does not allow unintended access to networks to which the system

is connected.

Monitoring of Information systems and breaches

Systems are monitored and information security events are recorded. Operator logs and fault logging are used to ensure information system problems are identified daily. Workforce Alliance IT staff comply with all relevant legal requirements applicable to its monitoring and logging activities. System monitoring are used to check the effectiveness of controls adopted and to verify conformity to an access policy model.

Audit logging for Information System breaches Audit logs recording user activities, exceptions, and information security events are produced and kept for an agreed period to assist in future investigations and access control monitoring. Audit logs will include, when relevant:

a. user IDs;

b. dates, times, and details of key events, e.g. log-on and log-off;

c. terminal identity or location;

d. records of successful and rejected system access attempts;

e. records of successful and rejected data and other resource access attempts;

f. changes to system configuration;

g. use of privileges;

h. use of system utilities and applications;

i. files accessed and the kind of access;

j. network addresses and protocols;

k. alarms raised by the access control system; and

l. activation and de-activation of protection systems, such as anti-virus systems and intrusion

detection systems.

Monitoring system use Procedures for monitoring use of information processing facilities are established and the results of the monitoring activities reviewed regularly. The level of monitoring required for individual facilities are determined by a risk assessment. Workforce Alliance IT Department will comply with all relevant legal requirements applicable to its monitoring activities. Areas that are implemented include:

a. authorized access, including detail such as: the user ID; b. the date and time of key events; c. the types of events; d. the files accessed; e. the program/utilities used; f. all privileged operations, such as: g. use of privileged accounts, e.g. supervisor, root, administrator;

46 | P a g e

Workforce Alliance


h. system start-up and stop; i. I/O device attachment/detachment; j. unauthorized access attempts, such as: failed or rejected user actions; k. failed or rejected actions involving data and other resources; l. access policy violations and notifications for network gateways and firewalls; m. alerts from proprietary intrusion detection systems; n. system alerts or failures such as: o. console alerts or messages; p. system log exceptions; q. network management alarms; r. alarms raised by the access control system; s. changes to, or attempts to change, system security settings and controls.

How often the results of monitoring activities are reviewed will depend on the risks involved. Risk factors that are considered include the:

a. criticality of the application processes; b. value, sensitivity, and criticality of the information involved; c. past experience of system infiltration and misuse, and the frequency of vulnerabilities being

exploited; d. extent of system interconnection (particularly public networks); and e. logging facility being de-activated.

Protection of historical log information Logging facilities and log information are protected against tampering and unauthorized access. Controls will protect against unauthorized changes and operational problems with the logging facility including:

a. alterations to the message types that are recorded; b. log files being edited or deleted; and c. storage capacity of the log file media being exceeded, resulting in either the failure to record events

or over-writing of past recorded events.

Administrator and operator logs System administrator and system operator activities are logged. Logs will include:

a. the time at which an event (success or failure) occurred; b. information about the event (e.g. files handled) or failure (e.g. error occurred and corrective action

taken); c. which account and which administrator or operator was involved; and which processes were

involved.

Fault logging Faults reported by users or by system programs related to problems with information processing or communications systems are logged. There are clear rules for handling reported faults including:

a. review of fault logs to ensure that faults have been satisfactorily resolved; and b. review of corrective measures to ensure that controls have not been compromised, and that the

action taken is fully authorized.

Clock synchronization The correct setting of computer clocks is important to ensure the accuracy of audit logs, which may be required for investigations or as evidence in legal or disciplinary cases. Inaccurate audit logs may hinder

47 | P a g e

Workforce Alliance


such investigations and damage the credibility of such evidence. Therefore, where a computer or communications device has the capability to operate a real-time clock, this clock are set to an agreed standard. As some clocks are known to drift with time, there are a procedure that checks for and corrects any significant variation. The correct interpretation of the date/time format is important to ensure that the timestamp reflects the real date/time. Local specifics (e.g. daylight savings) are taken into account.

Access Control

Business requirement for access control Access to information, information processing facilities, and business processes are controlled on the basis of business and security requirements. Access control rules will take account of policies for information dissemination and authorization.

Access control policy An access control policy are established, documented, and reviewed based on business and security requirements for access. Access control rules and rights for each user or group of users are clearly stated in an access control policy. Access controls are both logical and physical and these are considered together. Users and service providers are given a clear statement of the business requirements to be met by access controls. The policy will include the following:

a. security requirements of individual business applications; b. identification of all information related to the business applications and the risks the information is

facing; c. policies for information dissemination and authorization, e.g. the need to know principle and

security levels and classification of information; d. consistency between the access control and information classification policies of different systems

and networks; e. relevant legislation and any contractual obligations regarding protection of access to data or

services; f. standard user access profiles for common job roles in Workforce Alliance; g. management of access rights in a distributed and networked environment which recognizes all

types of connections available; h. segregation of access control roles, e.g. access request, access authorization, access administration; i. requirements for formal authorization of access requests; j. requirements for periodic review of access controls; and k. removal of access rights.

User access management and monitoring of breaches

Formal procedures are in place to control the allocation of access rights to information systems and services. The procedures will cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services. In addition, audit logs are created 24/7 in the event of a security breach.

User registration regular monitoring

48 | P a g e

Workforce Alliance


There are a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services. The access control procedure for user registration and de-registration will include:

a. using unique user IDs to enable users to be linked to and held responsible for their actions; b. the use of group IDs will only be permitted where they are necessary for business or operational

reasons, and are approved and documented; c. checking that the user has authorization from the system owner for the use of the information

system or service; d. checking that the level of access granted is appropriate to the business purpose and is consistent

with Workforce Alliance security policy; e. giving users a written statement of their access rights; f. requiring users to sign statements indicating that they understand the conditions of access; g. ensuring service providers do not provide access until authorization procedures have been

completed; h. maintaining a formal record of all persons registered to use the service; i. immediately removing or blocking access rights of users who have changed roles or jobs or left

Workforce Alliance; j. periodically checking for, and removing / blocking, redundant user IDs and accounts; and k. ensuring that redundant user IDs are not issued to users.

Privilege management The allocation and use of privileges are restricted and controlled. Multi-user systems that require protection against unauthorized access will have the allocation of privileges controlled through a formal authorization process. The following steps are implemented:

a. the access privileges associated with each computer system are identified by; b. privileges are allocated to users on a need-to-use basis in line with the access control policy i.e. the

minimum requirement for their functional role only when needed; and c. an authorization process and a record of all privileges allocated are maintained. Privileges will not

be granted until the authorization process is complete.

49 | P a g e

Workforce Alliance


Information Security Incident Management

Reporting information security events and weaknesses Formal event reporting and escalation procedures are in place. All users are made aware of the procedures for reporting the different types of event and weakness that might have an impact on the security of Workforce Alliance assets through email, Workforce Alliance Intranet and training. They are required to report any information security events and weaknesses as quickly as possible to the designated point of contact.

Reporting information system security events Information security events are reported through appropriate management channels as quickly as possible. A formal information security event together with an incident response and escalation procedure, setting out the action to be taken on receipt of a report of an information security event. A point of contact are established for the reporting of information security events. It are ensured that this point of contact is known throughout Workforce Alliance, is always available and is able to provide adequate and timely response. All users are made aware of their responsibility to report any information security events as quickly as possible. They will also be aware of the procedure for reporting information security events and the point of contact. The reporting procedures will include:

a. suitable feedback processes to ensure that those reporting information security events are notified of results after the issue has been dealt with and closed;

b. information security event reporting forms to support the reporting action, and to help the person reporting to remember all necessary actions in case of an information security event;

c. the correct behaviour to be undertaken in case of an information security event, i.e. noting all important details (e.g. type of non-compliance or breach, occurring malfunction, messages on the screen, strange behaviour) immediately;

d. not carrying out any own action, but immediately reporting to the point of contact; e. reference to an established formal disciplinary process for dealing with users who commit security

breaches. Examples of information security events and incidents are: f. loss of service, equipment or facilities, system malfunctions or overloads, human errors, non-

compliances with policies or guidelines, breaches of physical security arrangements, uncontrolled system changes, malfunctions of software or hardware, and access violations.

Reporting security weaknesses All users of information systems and services are required to note and report any observed or suspected security weaknesses in systems or services. All users will report these matters either to their management or directly to their service provider as quickly as possible in order to prevent information security incidents.

50 | P a g e

Workforce Alliance


The reporting mechanism will be as easy, accessible, and available as possible. They are informed that they will not, in any circumstances, attempt to prove a suspected weakness.

Management of information security incidents and improvements Responsibilities and procedures are in place to handle information security events and weaknesses effectively once they have been reported. A process of continual improvement are applied to the response to, monitoring, evaluating, and overall management of information security incidents. Where evidence is required, it is collected to ensure compliance with legal requirements.

Responsibilities and procedures for information system breaches Management responsibilities and procedures are established to ensure a quick, effective, and orderly response to information security incidents. In addition to reporting of information security events and weaknesses, the monitoring of systems, alerts, and vulnerabilities are used to detect information security incidents. The following guidelines for information security incident management procedures are considered:

a. procedures are established to handle different types of information security incident, including:

b. information system failures and loss of service; c. malicious code; d. denial of service; e. errors resulting from incomplete or inaccurate business data; f. breaches of confidentiality and integrity; g. misuse of information systems; h. in addition to normal contingency plans, the procedures will also cover: analysis and identification

of the cause of the incident; i. containment; j. planning and implementation of corrective action to prevent recurrence, if necessary; k. iv. communication with those affected by or involved with recovery from the incident; l. reporting the action to the appropriate authority; m. audit trails and similar evidence are collected and secured, as appropriate, for: n. internal problem analysis; o. use as forensic evidence in relation to a potential breach of contract or regulatory requirement or in

the event of civil or criminal proceedings, e.g. under computer misuse or data protection legislation;

p. negotiating for compensation from software and service suppliers; q. action to recover from security breaches and correct system failures are carefully and ormally

controlled; the procedures will ensure that: r. only clearly identified and authorized personnel are allowed access to live systems and data; s. ii. all emergency actions taken are documented in detail; t. iii. emergency action is reported to management and reviewed in an orderly manner; u. iv. the integrity of business systems and controls is confirmed with minimal delay. v. The objectives for information security incident management are agreed with management, and it

are ensured that those responsible for information security incident management understand Workforce Alliance’s priorities for handling information security incidents.

51 | P a g e

Workforce Alliance


IT Department Operational Procedures - WITGwit.onestops.com/site/wp-content/uploads/2013/07/Workforce-Alliance-Technology...7 as the operating system. The initial software install

Documents