Policies, legal background, procedures

Introduction of the ISO17799/BS7799 system

In the course of the storage, processing and transfer of electronic information, confidentiality, integrity and availability criteria must be complied with. Assurance of such compliance differs from the traditional property protection tasks. Therefore, in order to protect our clients' information assets and IT resources, we recommend to introduce a uniform IT Security Control System (hereinafter referred to as IBIR).Our methodology follows the ISO17799 standard, which was adopted as an ISO/IEC standard in 2001, and is based on the standard developed by the British Standards Institution under the name BS7799.

Virus Protection Policy

Our opinion is that an appropriate virus protection policy should cover the following areas:

• General provisions
• The virus protection system
• Virus protection of workstations
• Virus protection of IT servers
• Virus protection of external connections
• Management of the virus protection system
• Control of virus outbreaks
• Inspections
• Education

Business Continuity Plan

Business continuity planning comprises merely preparation for the assurance of the ongoing availability of all key business resources supporting the essential business activities.Business continuity planning results in a Business Continuity Plan (BCP), which is designed to assist in the efficient elimination of failures and stoppages occurring in the critical business processes.

Disaster Recovery Plan

The Disaster Recovery Plan is a document, which determines from step to step, what to do in the preparatory phase preceding a possible disaster, upon the occurrence of an event considered as disaster, and after such disaster. It determines the scope of responsibilities for the persons participating in the recovery from disasters, and contains the information absolutely necessary for the successful completion of such recovery. The development of the Disaster Recovery Plan comprises 4 steps:

• Situation assessment;
• Threats analysis;
• Risk analysis;
• Development of the Disaster Recovery Plan.

Risk Management

kancellár.hu considers the risk management methodology as the weather forecast; even for the input data, one cannot be assured that he has all the necessary information, and the selected methodology accurately models reality. However, we believe that, through the ongoing evaluation of the results/experiences, the model can be improved, developed. Nevertheless, it is essential for such development that the experiences, and especially those gathered within the company, be regularly evaluated and processed. For the development of the risk management methodology, kancellár.hu recommends to apply the procedure laid down in standard AS4360, since:

• The scope of this procedure can be freely restricted or extended;
• It sets out the tasks within the frames of a uniform structure;
• It can be applied in general terms, independently of the economic sector;
• It is easy to introduce, and integrates the opportunity for further development;

Establishment, Development of the Backup Regime

It is a common practice that the data stored in / processed by certain applications are not backed up in a uniform manner. Due to the non-uniform backup of data, restoration is liable to arise problems. The objective of our work is:

• As an immediate protective measure, to develop such secure copying and restoration procedures, which enable restoration in all circumstances, as well as document the applicable procedures, so as to enable the person responsible for back-up to perform these tasks on his own;
• To examine, for back-up measures focused on data, what speeds can be attained for saving and restoration operations;
• To provide an alternative proposal on the development of the back-up operations, supplying the required instruments, as well as both the logical en physical configuration of the execution;
• To develop a test environment, perform saving and restoration in it, and test the additional, special functions;
• To have all steps documented.

Data Protection and Data Security Policy

The amendment of Act LXIII of 1992. on the protection of personal data and the disclosure of data of public interest, effective as of 1 January 2004, requires several organisations (entities involved in the administration or processing of national official, employment or criminal databases, financial organisations, telecommunications and public utility operators), being major data administrators, to develop a data protection and data security policy. Creating regulations for data protection and data securityKancellár.hu undertakes, on behalf of the handler of data, to create Regulations for Data Protection and Data Security in the following format:

• General Statutes
• Prerequisites of Handling Data
• Procedures for Handling Data
• Security Requirements for Data Handling Activities
• Enforcing Stakeholders’ Rights