Download IT Department Operational Procedures

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Transcript
WORKFORCE ALLIANCE
Information Technology Department
IT Department
Operational Procedures
Workforce Alliance
IT Department Operational Procedure
1|Page
INFORMATION TECHNOLOGY DEPARTMENT
Operational Procedures
Workforce Alliance
1951 North Military Trail• Suite D
West Palm Beach, FL 33409
Telephone: (561) 340-1060
Table of Contents
IT Operation Structure …………………………………………...………3
Resources and Equipment ….…………............................................4
Purchasing and Replacing Computers for Workforce Alliance…..….6
Backup and Disaster Recovery………………………………….………7
Network Backup Flow Chart ……..……………………………..………10
Daily Maintenance Backup Procedure…………………………..…….11
Systems Documentation ………………............................................14
Network Structure ……………………………………….………….……12
Backup Tapes-Removing offsite tapes ……………….…………..….14
Systems Documentation Inventory and Policy…………………..…. 18
Inventory Database……………………………………………………..19
Network Structure…………………………………………………..…...22
Network Access …………………………………………………………24
Network Security ………………………………………………………..25
Internet Use …………………………….............................................28
E-Mail Use ………………………………............................................30
Requests for Service…………………………………………………….32
Monitoring, recording and reporting information system and/or information
security breaches …………………………………………………….……33
Workforce Alliance
IT Department Operational Procedure
i|Page
Purchasing Procedure …………………...........................................35
THIS HANDBOOK IS NOT INTENDED TO CREATE, NOR IS IT TO BE INTERPRETED AS TOCREATE, A LEGALLY BINDING
CONTRACT BETWEEN THE WORKFORCE ALLIANCE STAFF AND ANY OF ITS EMPLOYEES.
In the event that the terms of this handbook conflict with the written and approved personnel
policies of the Workforce Alliance, the policies of Workforce Alliance shall be controlling.
IT Operational Structure
T
he IT Department at the Workforce Alliance has responsibilities in many areas to include:
Network infrastructure and telecommunications which includes site-to-site connectivity, internet
access and telephone systems in addition to the maintenance and control of hardware/software
for multiple departments.
Infrastructure
This core responsibility of the Workforce Alliance IT Director along with its staff members is to maintain the
four (4) office’s LAN/WAN infrastructure which includes 33 physical and virtual servers, three (3) VMWare
VSphere hosts, two (2) NetAPP2240 SAN (Storage Area Networks) including a DR (disaster recovery site) 625
computer/laptops, network devices to include routers, switches, firewalls, security appliances, applications, and
databases. The security and integrity of the information systems at Workforce Alliance is the primary concern of
the IT Department.
Infrastructure is further divided into two major components: network and applications. The network
component focuses on the LAN, from the media and network appliances to the addressing schemes, network
services, and the hardware aspect of all nodes and equipment.
IT Department Job Descriptions
The Director’s primary responsibility is to oversee the streamlined operation of Workforce Alliance’s
Infrastructure and IT department and to ensure it aligns with the business objectives of the organization.
Director daily responsibilities:
Manage Exchange 2003/2010 services, internal/external security appliances with a separate email firewall, Cisco
network routers, switches, 33 virtual/physical servers, 625 desktops, email servers, VPN hardware/software
equipment, NetAPP SAN (Storage Area Networks), 3 VMWare Virtual hardware/software host which holds all
Workforce Alliance data. Disaster Recovery hardware/software appliances that will soon to be deployed
EOC category 5 building and manage a staff of 4. I am currently the Region21 RSO for EFM, OSST, DCF. In
addition, also responsible for IT Budgets, coordinate projects for all departments, purchase all hardware and
software for Workforce Alliance. Provide support for HR/Payroll system in addition to maintaining the
Polycom Audio/Video conferencing equipment for all sites.
DBA daily responsibilities:
Workforce Alliance
IT Department Operational Procedure
ii | P a g e
Eric Tremelling – Database Administrator, Eric is responsible for maintaining multiple SQL Databases, Internal
and External Websites, development of Web Based applications as needed by Workforce Alliance. Also
maintains the backup software for Workforce Data. Provides support for the HR/Payroll system support as
needed, Intranet-Sharepoint support, CRM and Backup.
IT Technician daily responsibilities:
Chuck Hunter -The IT Technician provides support within the organization’s 625 desktops computing
environment and includes installing, diagnosing, repairing, and maintenance to ensure optimal performance for
computers, printers and the various desktop automation software. Inventory
IT Technician daily responsibilities:
Tim Moss -The IT Technician provides support within the organization’s 625 desktop computing
environment and includes installing, diagnosing, repairing, and maintenance to ensure optimal performance
on printers and the various desktop automation software. Inventory
Resources and Equipment
The IT Department has jurisdiction over all computer workstations, network devices, software, and all
other computer/telephony components and accessories. Within the guidelines established through
Workforce Alliance policies, the Director of Information Technology has the discretionary power to
allocate these resources as required, to establish proper-use procedures, and the ability to delegate these
functions to other authorized staff members. The purchase, modification, or placement on the network or
existing systems of any of the aforementioned items must be authorized by the Director of Information
Technology, or by an officially designated proxy.
All software and hardware relating to computer/network/telephony systems will be inventoried and
maintained according to the IT Department Policies, and within the appropriate subsections of the IT
Operational Procedures. This subsection details the procedures established by the IT Department to ensure
proper-use and the compliance to policies regarding IT resources and equipment.
Workstations: All staff members will be given the use of a computer in their office with access to the
Workforce Alliance network. Modifications to staff workstations including the addition or removal of
hardware or software are not allowed without prior approval of the IT Department.
 Every workstation will be able to print on at least one network printer and one backup printer (one
of which will be color).
 Individual desktop printers will not be available unless if the Director of Information Technology
deems it necessary under special circumstances.
 Unless otherwise authorized by the Director all workstations will use Windows XP Pro or Windows
7 as the operating system. The initial software install on the system will include MSOffice (Standard
or Professional), Internet Explorer, Acrobat Reader, and Symantec Anti-virus Corporate Edition.
 Access to the Internet will be through Internet Explorer and e-mail will be through the
Workforce Alliance’s email system.
 Additional hardware and software may be requested by filing the proper form with the
Director or their immediate supervisor.
Workforce Alliance
IT Department Operational Procedure
2|Page
Training Rooms, Conference rooms and staff Workstations: Dedicated workstations for Workforce
Alliance use will be located at various locations of the four (4) sites. Only authorized staff with a proper
username and password may use these computers. All staff workstations will be connected to the network
and have access to a network printer. Staff are not allowed to make any hardware or software modifications
to any computer system.
 The Training Rooms are under the supervision of the IT Department. All modifications to the
workstations located in these rooms need to have his or her approval or must be directly authorized
by the Director.
 All modifications to the workstations in the various classrooms/labs and in the career centers must
be authorized by the Director (or authorized representative) and will be performed by IT personnel.
 Internet access and email access can only be through authorized programs (Internet Explorer and
the Workforce Alliance email server).
 No streaming media applications, instant messaging, or chat rooms are to be utilized on any
workstations unless authorized by management.
Public Resource Rooms: Customers and Employers are only allowed to access Workforce Alliance in preapproved locations. The individual in charge of this area will maintain a login sheet that will record the name
of the person, the station being used, and date and time (on and off) that this person was on the system. The
user will then be provided with a visitor username and password.
 Currently the Resource Rooms located in Boca Raton, Belle Glade and Pine Trail are the only
authorize public access locations.
Printers, Copiers, Faxes, Scanners, and Other Shared Devices: All shared devices, either
on the network or stand-alone equipment, are under the province of the IT Department.
Only IT personnel or specifically authorized staff will service these items.
 All equipment of this nature that is placed on the Workforce Alliance network is under the direct
supervision of the IT Department.
IT Loaner Equipment: Workforce Alliance owns a number of items that are of a portable nature that are
available for use by staff members with the approval of the Director or staff’s immediate supervisor. When
not in use these items will be stored in IT cabinets/closets, which will be locked at all times when not under
the direct supervision of an authorized IT staff member.
 The Director and designated IT staff members will be assigned the key(s) for the storage area(s).
Only these individuals have the authorization to access the IT Loaner equipment area(s).
 The IT Department will maintain a list of items available for loan. This list will be located in the
Workforce Alliance inventory system. These items will be inventoried according to subheading
Systems Documentation.
 Only staff members can check out items from the IT Department Room. To checkout an item the
individual must contact one of the authorized IT staff members.
 Certain items may be reserved by contacting an authorized IT staff member who will place the
information on a calendar kept for that purpose.
Adopted by the Workforce Alliance
 Once an individual signs-out an item he or she assumes full responsibility until returned.
Workforce Alliance
IT Department Operational Procedure
3|Page

The individual that signed for the item must return it on or prior to, the due date/time to an
authorized IT staff member, and report any known problems with the item. The IT member is
required to at least spot check the item for any obvious damage or missing components. He or she
will then record its return in the inventory system and will report any irregularities to the Director or
IT.
Purchasing and Replacing Computers for Workforce Alliance
When purchasing a PC for a Workforce Alliance staff member or for public use, IT first and foremost
considers the programs utilized by each staff member to assure that the PC being purchased has enough
power and disk capacity to adequately run the programs of Workforce Alliance. In addition, a computer
should provide a minimum of 4-5 years of sound performance with minor maintenance and be purchased
with a reasonable maintenance contract for 4-5 years to eliminate maintenance cost and minimize IT
support of each computer.
The following applications are utilized by Workforce Alliance staff and require above average hardware to
run efficiently.
1. Desktop Automation – MSOffice 2007 or MSOffice 2010 suite which includes MS Word, Excel
Spreadsheet, Access database, Publisher, Visio Design Software, PowerPoint and MSProject.
2. Special Applications – Payroll, Accounting, Finance, Oracle Database, Sage etc.
3. State Systems – DCF, DMS, FDLS.
4. Once the software and hardware needs have been accessed, we get a minimum of three (3) quotes
from reputable vendors and state contract holder that provide Government/Non-For-Profit
Vendor pricing, a 3 year maintenance contract and finally purchase computers from the vendor
with the best price.
Four to five year replacement rule of thumb
1. When the cost of repairing a computer will exceed the cost of replacement, then it is time to
replace.
2. Computer Applications also dictate changing out a computer. Microsoft office 2010 has a
requirement for higher processor, RAM and disk space needs.
3. Based upon experience with the continuing changes and improvements in desktop computing
capabilities, it is recommended that a four to five year replacement cycle will create an adequate
platform to support standard business applications. However, each computer should be assessed
on a regular basis to ensure that it continues to support the unique work applications of its user.
Notes
1. Note on 64-bit versions of Windows:
Most applications and services commonly used at Workforce Alliance will run under 32-bit
versions of Windows, however, all new versions of software are now requiring a 64-bit processor
and OS versions.
2. Note on Windows XP and Windows Vista Home Editions:
Home additions are not recommended for faculty and staff computers. These versions are not
compatible with the Workforce Alliance infrastructure.
Workforce Alliance
IT Department Operational Procedure
4|Page
Backup and Disaster Recovery plan via Remote Login
Utilizing Terminal Services to Co-Location
EOC Category 5 Building
REMOTE USERS
COLO
VPN
Terminal Server RDP or Website
Terminal Services Sessions
Workforce Alliance
IT Department Operational Procedure
5|Page
NETWORK BACKUP FLOW CHART
Workforce Alliance
IT Department Operational Procedure
6|Page
Daily Backup Maintenance
Workforce Alliance
IT Department Operational Procedure
7|Page
Logon to the backup server:
1. logon to beets.
2. Start Symantec backup exec 2012 for windows servers .
Check Jobs:
1. Click the job monitor tab.
2. Look at the Job History, Job status for successful completion of the scheduled jobs.
3. Double click the completed job for a report.
Check Alerts:
1. Click the Alerts icon.
2. Double click the alert for more info or to acknowledge.
Check Media:
1. Click the media tab.
2. Click the 5_week media set.
3. Verify there is enough overwriteable or appendable media for the scheduled jobs.
4. Click the Netappprod1 media set.
5. Verify there is enough overwriteable or appendable media for the scheduled jobs. Verify there is
enough disk space on drive D and E for the backup to disk files
Offsite Backups
Workforce Alliance
IT Department Operational Procedure
8|Page
How to select tapes to move offsite.
Logon to the backup server:
1. Logon to beets.
2. Start Symantec backup exec 2012 for windows servers.
Select Media:
1. Click the job Storage tab.
2. Under job history, check the properties of the following jobs to determine the media used. Right click
3. the job and select properties. Expand the device and media Information section and look at "All media
4. used".
5. Jobs run from Friday night to Monday morning for a complete backup set of all sites, select the media
6. from all of the following jobs for the target date:
7. Friday – Monday AM
8. Make a list of the media used, usually 3 to 6 tapes.
Remove Tapes:
To export the media used in the jobs listed above, see Backup Tapes- Removing offsite tapes
Workforce Alliance
IT Department Operational Procedure
9|Page
Backup Tapes -Removing offsite tapes
Removing tapes for offsite backup from the i500 Quantum library:
1. You must create a job to export media from Backup Exec and the robotic library.
2. Logon to beets and open Backup Exec.
3. On the navigation bar, click Devices.
4. Select the robotic library, TAPE001 or TAPE002.
5. Tape002 is for the san and all VMware servers.
6. Tape001 is for everything else.
7. Click Slots.
8. On the results pane, select the tape numbers you want to export.
9. Under Media tasks in the task pane, select Export media.
10. Enter a job name.
11. Click options.
12. Select Keep Data Infinitely-Do Not Allow Overwrite as the media vault.
13. Click ok and run the job.
14. Media is moved to the Import/Export portal on the robotic library.
15. Remove the tapes from the robotic library.
16. Click the media tab.
17. Click the Keep Data for 5 weeks Media set.
18. Select all the media exported.
19. Right click and select associate with media set.
20. Select the offsite set and click yes.
Restore a File:
Connect to the backup server:
1. Logon to beets.
2. Start Symantec Backup Exec 2012.
3. Click the storage tab.
4. Click on restore.
Select files or folders:
1. Click the view by resource tab.
2. Expand the selections under the server with the missing file{s):
3. Select the most recent backup or the date required and expand the contents.
4. Navigate to the missing files or folders.
5. If there are no objects, go to the next oldest backup set {Since the backups are differentia I there are
no files if there were no changes during that period.)
7. Repeat if necessary to find the last version of the file.
8. In the window on the right, select the files or folders.
Run the restore job:
1. At the bottom, click the run now button.
2. In the job summary window, click ok.
3. Click ok in any filter warning dialog boxes.
4. Click the job monitor tab.
5. The restore job should be active.
Workforce Alliance
IT Department Operational Procedure
10 | P a g e
Verify the restore:
1. Verify the job completes successfully.
2. Navigate to the path of the missing files or folders and verify the file was restored.
3. Close Backup Exec and log off beets.
Workforce Alliance
IT Department Operational Procedure
11 | P a g e
Backup Tapes –Adding
Adding tapes on the i500 Quantum backup:
YOU MUST BARCODE THE TAPES BEFORE INSERTING THEM IN THE TAPE LIBRARY.
1.
Logon: admin
2.
Password: passwo•rd
3.
Open the portal door on the right side of the iSOO.
4.
Insert tapes for 1 partition at a time (partitions are sanOl or networkOl).
5.
You cannot import the cartridges until you assign them to a partition from the front panel. Once
you assign the partition you can import from the front panel or web interface.
7.
After inserting the tapes follow on-screen instructions and choose the destination partition. Login
8.
credentials are admin/password. Tapes will not show up in the web interface until you select the
9.
destination from the control panel.
10.
Press the operations tab and choose media import.
11.
Select the partition. Check the tapes to import and click apply.
12.
Click logout.
Import the Media in Backup Exec (BE).
1.
Logon to beets and start BE.
2.
Go to devices, select robotic library, slots.
3.
Click empty slot, under media tasks, click scan.
4.
Click slot, under media tasks/ select import media.
5.
In the job settings, options/ select auto-inventory after import is completed. Click ok. This forces a
Read of the media and changes the type from unknown to blank/ and associates with the scratch
media set.
7.
(To Inventory media separately in BE > devices> Robotic librarys > slots > right click slot and
Click inventory.
Set Media Properties:
1.
To set media properties/ go to media view, right click tape, choose properties, general tab/ media
type,
2.
choose LTO/ for subtype choose LTO.
Workforce Alliance
IT Department Operational Procedure
12 | P a g e
Erasing and deleting B2D files
To erase a backup to disk file:
1. Logon to the backup server beets.
2. Open Symantec backup exec 2012 for Windows Servers
3. Click the storage tab.
4. Expand the Backup-to-disk devices.
5. Click Slots
6. In the media list, right click the media to erase.
7. Select erase.
8. The file is moved to scratch media.
To remove (delete) the B2D file:
1. Make a note of the file number to delete.
2. Click the media tab.
3. Click on scratch media.
4. In the media list, right click the media and select Associate with media set.
5. In associate with, choose retired media.
6. Click retired media.
7. Right click the media and choose delete.
8. Go to my computer, drive D:.
9. Navigate to one of the 3 b2d folders, _Remote_Servers_BB (BG, or Fern).
10. Find the file number noted above and erase the B2D files in the folder.
Workforce Alliance
IT Department Operational Procedure
13 | P a g e
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
6a Tape001 SQL
6a Tape001 SQL
linked jobs: PT and
6a Tape001 SQL
linked jobs: PT
6a Tape001 SQL
Iinked jobs: PT
linked jobs:PT and
6a Tape001
SQL linked
and HQ data +
HQ data+ logs.
and HQ data+
HQ data·+ logs.
jobs: PT and
log incremental
incremental
logs. incremental
incremental
HQ data+
Sharepoint Farm Full
Backup
5pmFinished
MIPSERVER Backup
Full – 4pm-Finished
logs FULL
Sunday
5pm TAPE0011
5pm Tape001
5pmTAPE001
5pm Tape001
5pm Tape001
Sharepoint and
Sharepoint and
Sharepoint and
Sharepoint and
Sharepoint
Masters incremental Masters incremental
daily.
daily.
Masters
incremental daily.
Masters incremental
and Masters
daily.
incremental
5pF
nished
5p- F i nished
Remote
sites
5p- F
nished
5p- F i nished
Remote
sites
daily.
5p- F inished
4p Netappprod1
Remote sites
NDMP Full 7pm-
and local
Remote
and local
and local Full
Finish
incremental
sites
incremental
BB,hq,bg,pt
i
Remote
sites
and
i
and
local
local
increment
al
increme
ntal
Workforce Alliance
IT Department Operational Procedure
14 | P a g e
Systems Documentation Inventory and Policy
The subheading Systems Documentation contains the procedures for recording the
acquisition of new resources and maintaining the inventory of existing equipment and
materials.
All new acquisitions will be classified as either consumable or durable. Supplies are items
classified as consumable such as recordable media, toner, ink cartridges, paper, RJ45, and
CAT5 cable. Durable items are divided into hardware (equipment) or software and licenses.
When a shipment is received the items will be examined for damage and marked off the
packing list, which will be initialed and dated. The packing list will be attached to the
corresponding purchase order. Any damaged, missing, backordered, or extra
items are to be noted and the vendor is to be contacted promptly.
Supplies
 Ink cartridges: are the responsibility of the individual user
 Toner: 1 set should be in stock for every four printers of that model
 Drums, Imaging Units, etc: 1 will be in stock if there are four or more printers of that model on
campus
 Recordable Media: will be reordered when the following minimum levels in stock are reached
o CD-R: 25
o CD-RW: 5
o DVD-/+R: 5
o Data Tapes: 2/drive
 Cabling Supplies: will be reordered when the following minimum levels in stock are reached
o RJ45: 30
o Jacks: 5
o CAT5 Patch Cable: 10
o CAT5e: 300’ (should be plenum)
 Other Supplies: minimum levels will be established by the Director of Information Technology
 Workforce Alliance staff members may request supplies from the IT Resource Center.
Hardware
All hardware/equipment will be given an orange Workforce Alliance ID Tag with a unique number.
Unauthorized removal or modification of a tag is strictly forbidden
Workforce Alliance
IT Department Operational Procedure
15 | P a g e
Inventory Database
All hardware/software will be recorded into the Workforce Alliance IT Inventory Database. Certain
component items will be listed together as a single unit, such as a PC. A PC includes the hard drive, RAM,
other internal components, along with a keyboard and mouse. The IT Inventory Database will utilize the
following field (if applicable) for each record:
 Workforce Alliance ID #
 Description
 Purchase Order #
 Manufacturer
 Model #
 Serial #
 IP address (if static) – Optional
 MAC Address - Optional
 Network Name - Optional
 Physical Location
 User’s Name
 Processor/CPU speed and type
 RAM - Optional
 Hard Drive
 Internal Drives (CD, DVD, etc) - Optional
 Graphics Card - Optional
 Sound Card - Optional
 Modem - Optional
 Keyboard and Mouse - Optional
 Screen size and type - Optional
 Available ports or outlets - Optional
 Available slots - Optional
 Available bays - Optional
 Date salvaged
Software
All software and licenses will be inventoried using the database; in addition a hard copy
record will be maintained in a fireproof cabinet or offsite. Software will be tagged or assigned a Workforce
Alliance ID number. Software will be categorized as a box license; site licensed, or network versions
(including CAL) along with whether the seats are concurrent or static. The following fields will be used in
the IT Inventory Database for each record (if applicable):
 Description/Title
 Version
 Publisher
 Serial #
 Product ID #
 Purchase Order #
Workforce Alliance
IT Department Operational Procedure
16 | P a g e





License Type
Number of Licenses/Classification
License #
Key Code
Workforce Alliance ID # (where it is installed)
IT Inventory Database
Any new acquisitions classified as hardware or software will be entered into the database
prior to its allocation. Any modification to a PC, network appliance or device or any
supported system must be documented in the IT Inventory Database. The staff member
making the alterations, including the installation of software or relocating the device must be
authorized by the Director of Information Technology, or properly designated
representative. Items designated as salvage/surplus by the Director of Information
Technology will be noted in the database, listing the date the item is removed from
inventory.
Workforce Alliance
IT Department Operational Procedure
17 | P a g e
Network Structure
The subheading Network Structure elaborates on the basic information supplied in the IT
Department Polices (p. 8-9) concerning the design, implementation, maintenance, and
utilization of the information networks at Workforce Alliance. The basic structure of the computer network
at Workforce Alliance will be a client/server domain controller on a Fast Ethernet network running TCP/IP.
Physical Structure/Layers 1-2
The primary media used for vertical drops will be CAT5e or higher cable with RJ45 or
Keystone Jacks for terminations. Patch panels and keystone jacks will be wired using the
T568B standard. 802.11(x) will be used for wireless networking when and where appropriate.
Additional information on wireless network structure will be located under subheading
Wireless Network of the IT Operational Procedures. Horizontal runs between the NOC and
the primary IDF locations will utilize fiber optic cable with a minimum rating 1 gigabit.
Horizontal runs from a primary IDF to a local switch will utilize CAT5e or higher cable. All
switches will be rated at 100 megabit or higher, with new acquisitions being VLAN capable.
Protocols
Workforce Alliance’s computer network will use TCP/IP as the primary protocol. TCP/IP addresses will be
assigned to servers, network appliances (switches, etc.), network printers, and other devices designated by the
Director of Information Technology. The TCP/IP addresses used will be one of the
private sets reserved for private networks. The Director of Information Technology will assign internal
addresses utilizing the following scheme:
 Servers and Network Devices: 192.168.x.xxx
 IP Telephony Devices: 192.168.x.xxx
 Workstations: 192.168.x-.xxx (generally set by DHCP)
The Director of Information Technology will assign all public TCP/IP addresses to the appropriate
devices (such as the Web and E-mail servers) using those numbers assigned to Workforce Alliance by the
Internet Service Provider (ISP). Windstream
Primary Domain Controller Server
The Primary Domain Controller will be the server that administers and controls the Workforce Alliance
domain. This server will control the permissions for the network and network devices,
allowing access according to the rights assigned to each user. All users must log onto this
server to obtain access to Workforce Alliance’s network. All passwords will be stored on this server,
eliminating the security risks of keeping passwords on individual workstations. The Primary Domain
Controller will be located in a physically secure area and password protected. Electronic access to this server
will be limited to the IT Department and the Director. Under special circumstances the Director may give
temporary authorization to another IT staff member.
Main and Intermediate Distribution Facilities
The primary Network Operation Center (NOC) located at 1951 N. Military Trail, West Palm Beach, will be
located in a secure area with restricted access. The Director will allocate keys for the NOC to IT staff and
the Facilities Manager and other authorized personnel. The NOC will house the POP (Point of Presence)
for the telecommunication and Internet connections, in addition to the primary server bank. The NOC is
Workforce Alliance
IT Department Operational Procedure
18 | P a g e
the center hub of the extended star network topology; all fiber optic horizontal runs terminate on the central
switch.
Servers
The primary domain controller and most other servers will be located in the NOC. . Workforce Alliance will
maintain 33 for the support of all four (4) Workforce Alliance sites. The servers will provide the following
applications and TCP/IP protocols as needed to support all centers.

Authentication

DHCP

Proxy/Firewall

IP Telephony

E-mail

Web

Staff Files

Business Applications

VSphere 5 Virtual Host

NetAPP SAN (Storage Area Networks)

Disaster Recover Vsphere 5 and NetAPP SAN equipment at EOC Building
The Administrator passwords for the network and servers will be set and maintained by the
IT Department. The list of passwords will be documented and stored in a
file in the IT Department’s lockable fireproof cabinet. The same procedure will be followed
in regards to the administrative password for all workstations and devices at Workforce Alliance.
Telephone and Internet Connections
Workforce Alliance will maintains four (4) telephone system with one system located at each site. They are
interconnected to work as one telephonic system.
For Internet connectivity 100 Megabyte circuit is in place. Three (3) sites connect to 1951 N. Military trail
through their own 10 Megabyte MPLS circuit.
Workforce Alliance
IT Department Operational Procedure
19 | P a g e
Network Access
The subheading Network Access contains the procedures for new and existing employee’s access to network
resources. New users (or existing users who need to
make changes) must follow these procedures to be issued a(n): user name, initial password,
roaming profile, home directory, and their Workforce Alliance email account. Access to specific components
or programs on the network, in addition to security levels will be
assigned through the procedures established herein. Workforce Alliance maintains the ownership of all user
accounts along with rights to monitor and access the information therein.
As stated in the IT Department Policies (p. 9), the employee must complete, sign, and
submits forms with the HR Department called a security agreement form. The IT Department will create a
unique user name, initial network password, roaming profile, and home directory for the employee. The
employee will also be given access to a Workforce Alliance email account with the same user name as for
accessing the network, with an address of [email protected]
For more information on email see subheading E-Mail Use. In certain instances the employee may also be
given to a positional email account such as:
[email protected] if needed when working on special projects with staff or the IT Department.
If a new employee (or existing employee needs to modify) needs additional network access
for restricted resources, he or she needs to complete a security form with their request. Restricted resources
include any software platforms, databases, or other resources that have security levels, additional password
requirements, or information that contains sensitive materials (as proscribed by the administration of
Workforce Alliance). Once the employee completes form it must be submitted to their immediate supervisor
for approval. After the supervisor reviews the application and signs the form it is then forwarded to the
Director of Information Technology to receive final approval. The Director of Information Technology has
three working days to approve or deny the request. If denied he/she will notify, with an explanation, the
applicant. If approved the following process will occur:
 The Director will complete or assign an IT staff member to complete the proper access, passwords,
user name, etc. for the employee making the request. This will be completed within a reasonable time
period.
 An IT staff member will contact the employee to provide an orientation/training on the network
resources that are being made available. This will include information on the appropriate policies and
procedures that govern use of the college’s resources. During this orientation the employee will be
given the access and security level that were approved.
In the case of new employees the department head or area supervisor may initiate the request
process. However, the user name, passwords, or other security codes will not be given to the
employee before the employee signs, dates, and submits the appropriate forms to the
Director of Information Technology or IT staff member.
Internet access for workshops can be handled through the normal processes stated
Issues involving the access and use of a wireless network will be located under subheading
Workforce Alliance
IT Department Operational Procedure
20 | P a g e
Network Security
The subheading Network Security contains the procedures for providing the highest level of
security for the Workforce Alliance network while maintaining a high degree of usability. All network users
and staff must complete, sign at hire from the HR Department which are then directed via email to the
Director of Information Technology (see subheading Network Access). Upon approval by the Director the
Technology (or authorized personnel) will, within three working days, create a unique user name, initial
network password, roaming profile, and home directory for the employee. The employee will also be given
access to a Workforce Alliance email account. If access to restricted applications or specific components of
such programs is required the user must complete and submit a form as outlined in subheading Network
Access.
Issues pertaining to the security of the operation of a wireless network will be located under
subheading Wireless Network of the IT Operational Procedures.
User Names and Passwords
The following procedure will be adhered to in regards to the creation/issuing of user names
and passwords unless specifically altered by the Director. Employee user names will be the
first initial of the person’s first name along with the last name. The Director of Information Technology (or
designated representative) will assign the default passwords and the user will be required to change the
password on the initial login.
 Passwords are case sensitive and must be a minimum of 8 characters
 Staff passwords must be changed at a minimum of once every 45 days
 IT personnel and other users with administrative rights must change their password a minimum of
once/month
 The same password may not be used twice in a row
 The person assigned to a particular user name is responsible for its use, therefore it cannot be
shared with other individuals or groups
o Violations must be reported to the Director
 The Administrator password for a workstation or device will be designated by the Director
o This password will be recorded in a secure cabinet in the IT Directors Office
o Only the Director of Information Technology and those staff members authorized by the
Director will have access to the password(s)
 The Administrator password for the Workforce Alliance network will be designated by the Director
of Information Technology
o This password will be recorded in a secure cabinet in the IT Office
o Only the Director and upper management along with authorized personnel will have access
to the password(s)
 All staff user names will be given restricted privileges on the network and individual workstations by
default
o The Director may authorize higher levels of access for IT staff members and other users
under special circumstances
o Users may request high access levels by following the procedure outlined in subheading
o Network Access
Workforce Alliance
IT Department Operational Procedure
21 | P a g e
Firewalls and Virus Protection
The IT Department will maintain a proxy server and/or a network firewall protecting the
Workforce Alliance’s four (4) sites from outside intrusion. No server, workstation, or other network device
will be assigned a public IP address without the prior approval of the Director of Information Technology.
The IT Director will assign public IP addresses from those assigned to Workforce Alliance by the ISP. Any
device with a public IP address must have a firewall protecting it from outside intrusions. Any successful or
even a persistent attempt to breach the Workforce Alliance systems must be reported to the Director
promptly. Any attempt by a Workforce Alliance network user to intentionally breach or bypass a
secure/restricted system without authorization will result in loss of network privileges. The Director will
report such occurrences to the CEO/President of Workforce Alliance, or designate representative, for
additional actions (such as suspension or termination, or even possible legal action).
The IT Department will maintain virus protection on the email smart host to scan incoming messages, and
on all other servers, workstations, and appropriate network devices. To limit possible routes of infection the
preferred method of data transfer from the outside to systems on our network will be through email
attachments. Staff members are allowed to use removable disk media or other portable storage devices such
as USB key drives. Before transferring data onto the Workforce Alliance system data must be scanned using
an up-to-date virus protection program. Employees are not allowed to use portable storage devices or
recordable disks on Workforce Alliance equipment without having a staff member scan the data for viruses.
In the case of CD-R or similar DVD format the staff member may initial the disk after the scan thus ypassing
this step in the future. Under certain circumstances a staff member may be authorized to perform his or her
own virus scans by the Director.
Suspicious email/attachments/files should not be opened and must be reported to an IT staff
member. Any computer/network problems that may be due to virus or other outside intrusion
likewise need to be reported promptly to an IT staff member. These reports will be forwarded
to the Director of Information Technology for further investigation and action.
Affected devices maybe removed from the network by any IT staff member to halt the
transmission of the infection or intrusion until the Director, or a designated representative
gives authorization to reconnect the device. Infecting, or transmitting a virus, worm, other
malicious code or “spam” on or from Workforce Alliance equipment is strictly prohibited, and must be
reported to the Director. In cases of gross negligence or intentional violations of this policy the Director will
report the occurrence(s) to the President of Workforce Alliance, or designate representative, for additional
actions (such as suspension or termination, or even possible legal action).
Internal Security of the Workforce Alliance
To protect the overall security of the LAN individual user will only have restricted rights on the workstation
they use, unless authorized by the Director (see Network Access). The purpose for this is to limit the ability
to download and install harmful programs or code. It also limits the capabilities to inadvertently change
settings that could adversely affect the performance of an application, workstation, or the overall network.
Incorrectly setting an IP address for example could halt the operation of the telephony system. No user,
other than IT personnel designated by the Director, will have administrative rights on any computer other
than the station assigned (i.e. their office computer). The Director may authorize special access for academic
purposes in classrooms where a particular application’s use requires a higher level of rights.
Workforce Alliance
IT Department Operational Procedure
22 | P a g e
All downloads (see forms section) or the installation of programs onto any system at Workforce Alliance
requires the adherence to the proper policies and procedures as outlined in this manual. The Director, or
properly designated representative, will approve or deny authorization on a case-to-case basis depended on
issues of resources, licensing agreements, and security.
The security of servers, along with the data stored upon them, is the primary responsibility of
the Director of Information Technology. Servers must be maintained in a secure lockable area with access
limited to IT Staff and others specifically authorized by the Director. Data residing on 33 servers will be
backed up on a regular basis to a robotic backup system located at the main office at 1951 N. Military Trail,
West Palm Beach, and replicated to the other sites to include Belle Glade and Boca Raton. In addition,
beginning the week of October 15-19, a complete replica of Workforce Alliance 33 servers, data will be
replicated to the EOC category 5 building as a DR (disaster recovery) site in the event of a major disaster..
Systems or files designated as critical by the Director or the President will be backed up using the same
procedure a minimum of every working day. Archiving of email to a removable storage media will depend
on its nature. However, for critical systems/files a weekly schedule for archiving will be the minimum.
Archived media will be stored in a lockable fireproof storage unit. Access will be limited to others specifically
authorized by the Director of Information Technology.
Security of individual workstations and the data stored upon them is the primary
responsibility of the assigned user. When the area is open to public the individual user should
lock their computer and/or use a password protected screensaver when logged on to the
system. When a user will be absent from their station for an extended period of time it is
recommended that they shut down the system or log off. If using a common area computer a
user must log off the system before leaving.
Workforce Alliance
IT Department Operational Procedure
23 | P a g e
Internet Use
The subheading Internet Use contains the procedures governing staff access and
use of the Internet. This procedure also establishes guidelines on how Workforce Alliance connects to the
Internet.
As stated in the IT Department Policies (p. 9), the employee must complete, sign,
and submit security agreement form from HR and submitted to the Director of Information Technology.
Upon approval, the IT Staff (or authorized personnel) will create a unique user name, initial network
password, roaming profile, and home directory for the employee (see Network Access). No one is
allowed access to the Internet using Workforce Alliance equipment without completing this form from HR.
Exceptions will be made for special workshops or events with the approval of the Director of Technology.
Additional Internet access would include any ability to download files of the Internet using FTP or related
protocols or plug-ins not normally provided to employees, or passwords to restricted web sites (as proscribed
by the administration of Workforce Alliance). Once the employee completes a security agreement it must
be submitted to the department head or area supervisor for approval. After the supervisor reviews the
application and signs the form it will be forwarded to the Director of Information Technology to receive
final approval. The Director of Information Technology has three working days to approve or deny the
request.
If denied he/she will notify, with an explanation, the applicant. If approved, the following process will occur:
 The Director will contact IT Staff to establish the proper access, passwords, user name, etc. for the
employee making the request. This will be completed in three working days.
 An IT staff member will contact the employee to provide an orientation/training on the Internet
resources that are being made available. This will include information on the appropriate policies and
procedures that govern their use. During this orientation the employee will be given the access and
security level that were approved.
In the case of new employees, the department head or area supervisor may initiate the request process.
However, the user name, passwords, or other security codes will not be given to the employee before the
employee signs, dates, and submits the security agreement to the Director of Information Technology.
Internet access for workshops and for the public library computers can be handled in a separate manner
These stations will log into the network using a special user name with restricted access levels. Software or
other blocking devices maybe used on these stations that restrict web surfing beyond the normal levels
prescribed at Workforce Alliance. Monitoring the use of the public stations in the Resource Rooms will be
governed by policies and procedures established by the manager of Workforce Alliance administration.
Other aspects of these workstations will still be under the governance of the IT Department.
Internet access for workshops can be handled through the normal processes stated above, or in special
instances where this procedure is deemed unnecessarily cumbersome; the following procedure may be
substituted. This would be in the case of a single day workshop whose participants are primarily not staff,
and are unlikely to need access to the Workforce Alliance network again in the foreseeable future. Under
these or similar circumstances the organizer of the workshop or event may request an exemption from the
Director of Information Technology by completing and submitting security agreement form, at least three
(preferably five) working days prior to the event. If approved, the Director of Information Technology or
authorized IT Staff will create a special user name and password, along with the appropriate network
access and resources to be used by the organizer of the event. These will be removed from the system
within five working days after the end of the event. The organizer will be responsible for ensuring that the
Workforce Alliance
IT Department Operational Procedure
24 | P a g e
participants of the event follow the appropriate policies and procedures governing use of the network and
Internet at Workforce Alliance. The Director of Information Technology has the primary responsibility
for the establishment, maintenance, and regulation of the Internet at Workforce Alliance. He or she may
delegate these roles, in part, by designating an IT staff member as the web master (etc.), with the consent
of the Director of Information Technology. The following are general guidelines regarding the Internet at
Workforce Alliance:
 The Proxy Server will control Internet traffic between the LAN and the WAN, unless specially
approved by the Director.
 A log of Internet traffic will be maintained by the Director of Information Technology or assigned
staff, and will be periodically reviewed for inappropriate use. The log will be archived for a
minimum of 14 days before being deleted.
 Known or suspected use of the Internet that is inappropriate is to be reported promptly to the
Director of Information Technology and appropriate blocks of internet sites will be made.
Inappropriate use includes, but not necessarily limited to:
1.
Downloading, storing, or printing files or messages that are profane, obscene, or that use
language or images that offends or tends to degrade others.
2.
Violating copyright laws
3.
Using Workforce Alliance resources for commercial or financial gain without administration
approval.
4.
Vandalizing data of others, damaging equipment or gaining unauthorized access to resource
or invasion of privacy
5.
Using other people’s accounts, posting personal communications without the original
author's consent
6.
Wastefully using finite resources, including the unsanctioned use of Internet radio or
streaming video (permission must be granted by Director of Information Technology or an
officially designated representative).

Inappropriate use of the Internet at Workforce Alliance could result in the termination or restriction
of the user’s accounts, in addition to other penalties established by the administration of the college.
 To maintain acceptable bandwidth, the Director of Information Technology will establish a point
system to calculate typical and high traffic usage rates.
 The Director of Information Technology or designated representative will maintain a reasonable
level of security, including proxy settings and/or firewalls, against outside intrusions. Virus, spam,
and other appropriate protections will be maintained at reasonable levels. The Director of
Information Technology will be notified of breaches, and be given periodic assessments on the
security status along with any suggested or required upgrades.
 The Database Administrator or designated representative will establish, maintain, and upgrade the
Workforce Alliance web site. He or she will establish guidelines for the format and content of all
web sites hosted on any domain owned or controlled by the college.
 The Director of Information Technology or designated representative is
responsible or the establishment, maintenance, removal, and allocation of
all domains, IP addresses, bandwidth, and related items owned or
controlled by Workforce Alliance
Workforce Alliance
IT Department Operational Procedure
25 | P a g e
E-Mail Use
The subheading E-Mail Use contains the procedures governing establishment and use of staff e-mail
accounts provided by Workforce Alliance. As stated in the IT Department Policies, the employee or signs
a usage policy from HR upon hire. Upon approval, the IT Director or (or authorized IT personnel) will,
within three working days, create a unique user name, initial network password, roaming profile, and home
directory for the employee (see Network Access). At this time the user will also be assigned an email
account..
The status of the person requesting the account will determine what domain will be used, the format of the
user name, the default password, and storage spaced allotted. The Director of Technology under special
circumstances will consider exceptions.
Workforce Alliance Administrative Offices
 The account will be created on the PBCAlliance.com domain
 User name will be the first initial of the first name and the full last name, for example John Doe
would be [email protected]
 The default password for a new staff member will be “first”. After first login, the new employee
will be prompted to enter their own complex password
 Default storage space will be limited to 500MB
Workforce Alliance Staff at remote sites
 The account will be created on the PBCAlliance.com domain
 User name will be the first initial of the first name and the full last name, for example John Doe
would be [email protected]
 The default password for a new staff member will be “first”. After first login, the new employee
will be prompted to enter their own complex password
 Default storage space will be limited to 250MB
Public Group Addresses
 The account will be created on the PBCAlliance.com domain
 User name will be the first initial of the first name and the full last name, for example John Doe
would be [email protected] which will be an Exchange Distribution Group
with special staff members added as recipients to the group.
 The default password for a new staff member will be “first”. After first login, the new employee
will be prompted to enter their own complex password
 Default storage space will be limited to 250MB
The Director of Information Technology or a person officially designated as Postmaster, will establish and
maintain an email server capable of hosting the domains listed above along with reserving the required
number of public IP addresses. The Postmaster will perform the required system maintenance, including
software updates, required upgrades to the hardware, virus protection, and other configurations as needed.
Disk storage and reasonable bandwidth will be maintained at a minimum level for twice the total number
of Workforce Alliance staff. In addition to ensuring adequate virus protection to the email server the
Postmaster will make all reasonable efforts to eliminate spam from entering the system or originating from
it.
Workforce Alliance
IT Department Operational Procedure
26 | P a g e
The Policies and Procedures of the Workforce Alliance IT Department govern all email accounts provided
by Workforce Alliance. By accessing the account, the user is consenting to the provisions established by the
Workforce Alliance HR Deparment.
Workforce Alliance
IT Department Operational Procedure
27 | P a g e
Requests for Service
The subheading Requests for Service details the procedures for differentiating between basic
troubleshooting, emergency services, and regular service requests. Each of these different services has its
own related procedures in regards to scheduling priorities, how service is rendered, and the reporting
processes. In many circumstances, the decision of which procedure to use is left to the discretion of the
IT staff member on the scene.
Regular Service Requests: The preferred method of handling any service request is to have the individual
asking for support to complete Form IT-B and submit it to the Director of Technology. The Director will
then review the application and either approve or disapprove the request. This decision will be rendered in
one or two working days under most circumstances.
 If disapproved the Director will contact the individual making the request and explain why it was
rejected, and suggest a possible solution to the problem.
 If approved the Director will assign a priority level and service number to the application and will
forward it to the appropriate IT personnel.
 The IT staff member will then complete the request, or assign it to the An IT staff member.
o Upon completion of the service request, the proper form must be dated and initialed by the
IT staff member and returned to the Director.
o The IT staff member completing the service request must also complete (if applicable) Online Ticket and submit it to the IT Department.
 Priority levels will range from 1 (the highest) to 3 (the lowest). All the requests with a ranking of 1
must be completed before work can be start on those with a ranking of 2, and so on.
o The Director can reassign a ranking based on changing circumstances.
o IT personnel may complete several related work requests of various priorities if it is more
efficient, such as fulfilling all open requests on a particular workstation.
 Requests that involve changing or resetting user-names or passwords, or for creating a roaming
profile/network drive require the completion and submission of security agreement form. Upon
the receipt of the application the Director will proceed as if it was a regular service request.
 A request for Internet downloads or software installation requires the completion and submission
of an IT Ticket. Upon the receipt of the application the Director will proceed as if it was a regular
service request.
 Requests for changing access level/rights on the network or an individual workstation requires the
completion and submission of IT Ticket. Upon the receipt of the application the Director will
proceed as if it was a regular service request.
 A IT Ticket must accompany requests that require the purchase of hardware, software, or services
not already available at the college.
Workforce Alliance
IT Department Operational Procedure
28 | P a g e
Basic Troubleshooting Service Requests: These requests deal with basic service of equipment or common
application problems such as: not being able to access the network or related services, reconnecting a
network drive path, a printer/copier being out of toner or staples, or a problem with a software application.
Proper procedure in these cases is to contact the Director of Information Technology or the IT Staff.
 The Director or the IT Staff member will note the occurrence on the weekly troubleshooting log,
and at their earliest convenience the person on call will investigate the situation.
 If possible the IT member will fix the problem and will then initial the entry on the weekly
troubleshooting log.
 The IT member will then complete and submit (if applicable) IT Ticket to the Director. Notes
should be filed for reference in future troubleshooting cases.
o There are certain cases that do not require the completion and submission of work notes.
If it is a basic and routine procedure such as someone had the caps lock on will typing in their
password, or if the computer had been moved and the patch cable came out.
o IT Ticket must always be completed if a hardware component was replaced or if software
needed to be installed.
 If new hardware or software needs to be purchased to remedy the problem IT Ticket must be
completed and submitted to the Director.
Emergency Service Requests: These are the highest priority service requests. Work will commence as
soon as possible, even prior to the completion and submittal of the proper forms to the Director. The IT
staff member(s) completing the service must submit work notes and/or IT Ticket to the Director as in the
case of a basic troubleshooting service. Emergency services will be regulated to those systems designated as
mission critical to the Workforce Alliance.
 The following have currently been designated Mission Critical Systems
o Network accounting applications
o FX Scholar or Empower software
o Telephone communications
o Internet communications to Fastlane and online transactions
o Instructional technology services
o File and application servers
Workforce Alliance
IT Department Operational Procedure
29 | P a g e
Purchasing Procedure
All procurement of hardware, software, or technology services that will be part of or impact
the Workforce Alliance’s data or communications networks must be purchased
through the IT Department. The purpose of this process is to ensure compatibility of new
components with the existing infrastructure and to maximize the efficiency of our resources.
The IT Department will only maintain and service equipment and software that was procured,
allotted, and implemented in a manner consistent with the appropriate policies and
procedures.
 The individual wishing to make a purchase must complete IT Ticket and submit it to the Director
of Information Technology.
o The form must have the signature of the appropriate departmental supervisor or grant
officer.
o The form must have the appropriate fund number and be an allowable expense.
o The exact item does not have to be listed, although a detail of features or capabilities that
are required should be included. For example, one would not have to list a HP 4550DN, but
rather just ask for a colored laser printer with a duplexer.
 The Director will evaluate the request and determine if the product or service is already available, or
needs to be acquired from outside sources. The Director will either approve or deny the request in 3
working days (if feasible) with an explanation of why it was denied, if applicable.
o If approved the request will be processed by the IT Department.
o At least two approved vendors will be contacted for quotes.
o After choosing a vendor the Director (or authorized representative) will
o complete a Workforce Alliance Purchase/Check Request according to the appropriate
procedures of the college.
o Upon receiving approval from the Workforce Alliance headquarters the Director (or
authorized representative) will place the order with the vendor.
o Once the order is received it will be inventoried according to the IT Department’s policies
and procedures. Then the individual/program officer requesting the product/service will be
notified.
o The IT Department will keep one copy of all documents for their files.
Workforce Alliance
IT Department Operational Procedure
30 | P a g e
Organization of Information Security
Monitoring, recording and reporting information system and/or information
security breaches
This document deals with the organization and management of information security within Workforce
Alliance
Internal organization
This section establishes a management framework to initiate and control the implementation of
information security within Workforce Alliance. Consistent with, and complementary to, the information
management policies and procedures adopted by Workforce Alliance management. Contacts with external
security specialists or groups, including relevant authorities, are developed to keep up with industry trends,
monitor standards and assessment methods and provide suitable liaison points when handling information
security incidents.
Workforce Alliance commitment to information security
The Workforce Alliance Director of Information Technology actively supports security within the
organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment
of information security responsibilities.
Workforce Alliance Director of Information Technology and the IT Staff is responsible for:
a. ensuring that information security goals are identified;
b. formulating, reviewing, and approving information security policy;
c. reviewing the effectiveness of the implementation of the information security policy;
d. providing clear direction and visible management support for security initiatives;
e. recognizing and the handling of security breaches of information systems;
f. handling of disasters and the recovery from disasters;
g. providing the resources needed for information security;
h. approving assignment of specific roles and responsibilities for information security, to the extent
possible, across Workforce Alliance;
i. initiating plans and programs to maintain information security awareness; and
j. ensuring that, to the extent practical, the implementation of information security.
Information security co-ordination
Information security co-ordination involves the co-operation and collaboration of
the CEO, directors, managers, supervisors, users, remote administrators (i.e., EFM, OSST, DCF),
application designers, auditors and security personnel specialists. This activity includes:
a. ensuring that security activities are executed in compliance with the Workforce Alliance
information security policy;
b. identifying how to handle non-compliances or breaches;
c. approving methodologies and processes for information security, e.g. risk
d. assessment and information classification;
e. identifying significant threat changes and exposure of information;
f. information processing facilities to threats and breaches;
g. assessing the adequacy and coordinating the implementation of information security controls;
Workforce Alliance
IT Department Operational Procedure
31 | P a g e
h. effectively promoting information security education, training and awareness
throughout Workforce Alliance and among Workforce Alliance stakeholders;
i. evaluating information received from the monitoring and reviewing of information security
incidents; and
j. recommend appropriate actions in response to identified information security incidents.
Authorization process for information processing facilities
All Workforce Alliance offices need appropriate user management authorization, authorizing their purpose
and use. Hardware and software are checked to ensure that they are compatible with other system
components. The use of personal or privately owned information processing facilities, e.g. laptops, handheld devices, for processing business information, may introduce new vulnerabilities and necessary controls
are identified and implemented.
Confidentiality agreements
Confidentiality and non-disclosure agreements protect organizational information and inform signatories
of their responsibility to protect, use, and disclose information in a responsible and authorized manner.
Requirements for confidentiality or non-disclosure agreements reflecting Workforce Alliance’s needs for
the protection of information have been identified by the Workforce Alliance HR department at the time
of employ and should regularly be reviewed. The Workforce Alliance’s non-disclosure agreements address
the requirement to protect the confidentiality of information using legally enforceable terms. To identify
requirements for the non-disclosure agreements, the following elements are considered:
a. a definition of the information to be protected (e.g. confidential information);
b. expected duration of an agreement, including cases where confidentiality might need to be
maintained indefinitely;
c. required actions when an agreement is terminated;
d. responsibilities and actions of signatories to avoid unauthorized information disclosure (such as
‘need to know’);
e. the permitted use of confidential information, and rights of the signatory to use
f. information;
g. the right to audit and monitor activities that involve confidential information;
h. h. process for notification and reporting of unauthorized disclosure or confidential information
breaches;
i. terms for information to be returned or destroyed at agreement cessation; and
j. expected actions to be taken in case of a breach of this agreement.
Contact with authorities
Workforce Alliance Management staff will develop procedures that specify when and by which authorities
(e.g. law enforcement) are contacted, and how identified information security incidents are reported in a
timely manner if it is suspected that laws may have been broken.
Contact with special interest groups with respect to information security
a. The Director of Information Systems, IT Staff and other pertinent groups are established to
improve cooperation and coordination of security issues. Such agreements will identify
requirements for the protection of sensitive information. Membership in special interest groups or
forums are included as a means to:
i.
improve knowledge about best practices and staying up to date with relevant security
information;
Workforce Alliance
IT Department Operational Procedure
32 | P a g e
ii.
iii.
iv.
v.
vi.
ensure the understanding of the information security environment is current and complete;
receive early warnings of alerts, advisories, and patches pertaining to attacks and
vulnerabilities;
gain access to specialist information security advice;
share and exchange information about new technologies, products, threats, or
vulnerabilities; and
provide suitable liaison points when dealing with information security incidents.
Independent review of information security
The Workforce Alliance’s approach to managing information security and its implementation (i.e. control
objectives, controls, policies, processes, and procedures for information security)
Should be reviewed independently at planned intervals, or when significant changes to the
security implementation occur.
Identification of risks related to external parties
Sensitive information might be put at risk by external parties such as vendors working with inadequate
security management. The risks to Workforce Alliance’s information from external parties needs to be
identified and appropriate controls implemented before granting access. The
identification of risks related to external party access will include the following:
a. the information processing facilities an external party is required to access;
b. the type of access the external party will have to the information and information processing
facilities, e.g.: physical access, e.g. to offices, computer rooms, filing cabinets; logical access, e.g. to
a Workforce Alliance’s databases, information systems;
c. network connectivity between Workforce Alliance’s and the external party’s
d. network(s), e.g. permanent connection, remote access;
e. whether the access is taking place on-site or off-site;
f. the value and sensitivity of the information involved, and its criticality for business operations;
g. the controls necessary to protect information that is not intended to be accessible by external
parties;
h. the external party personnel involved in handling Workforce Alliance’s information;
i. how the organization or personnel authorized to have access can be identified, the authorization
verified, and how often this needs to be reconfirmed;
j. the different means and controls employed by the external party when storing, processing,
communicating, sharing and exchanging information;
k. the impact of access not being available to the external party when required, and
l. practices and procedures to deal with information security incidents and potential damages, and the
terms and conditions for the continuation of external party
m. access in the case of an information security incident;
n. legal and regulatory requirements and other contractual obligations relevant to the external party
that are taken into account; and
o. how the interests of any other stakeholders may be affected by the arrangements.
Access by external parties to Workforce Alliance’s information will not be provided until the appropriate
controls have been implemented and, where feasible, a contract has been signed defining the terms and
conditions for the connection or access and the working arrangement. It are ensured that the external party
is aware of their obligations, and accepts the responsibilities and liabilities involved in accessing,
processing, communicating, or managing Workforce Alliance’s information.
Workforce Alliance
IT Department Operational Procedure
33 | P a g e
Inventory of Information System Assets
All Workforce Alliance information system assets are clearly identified and an inventory of all assets drawn
up and maintained by the Workforce Alliance IT Department. The asset inventory will include all
information necessary in order to recover from a disaster, including type of asset, format, location, backup
information, license information, and a business value. Based on the importance of the asset, its business
value and its security classification, levels of protection commensurate with the importance of the assets
are identified.
There are many types of assets, including:
a. Physical and electronic information: databases and data files, contracts and agreements, system
documentation, research information, user manuals, training material, operational or support
procedures, business continuity plans, fallback arrangements, audit trails, and archived information;
b. software assets: application software, system software, development tools, and utilities;
c. physical assets: computer equipment, communications equipment, removable media, and other
equipment;
d. services: computing and communications services, general utilities, e.g. heating, lighting, power,
and air-conditioning;
e. people, and their qualifications, skills, and experience; and
f. intangibles, such as reputation and image of Workforce Alliance.
Information security awareness, education, and training
All employees of Workforce Alliance and, where relevant, other users will receive appropriate
awareness training and regular updates in Workforce Alliance policies and procedures, as relevant for their
job function. Awareness training will commence with a formal induction process designed to introduce
Workforce Alliance’s security policies and expectations before access to information or services is granted.
Ongoing training will include security requirements, legal responsibilities and business controls, as well as
training in the correct use of information processing facilities e.g. log-on procedure, use of software
packages and information on the disciplinary process.
Disciplinary process
There are a formal disciplinary process conducted by Workforce Alliance Human Resources department
for employees who have committed a security breach. The disciplinary process will not be commenced
without prior verification that a security breach has occurred. The formal disciplinary process will ensure
correct and fair treatment for employees who are suspected of committing breaches of security. The
formal disciplinary process will provide for a graduated response that takes into consideration factors such
as the nature and gravity of the breach and its impact on business, whether or not this is a first or repeat
offence, whether or not the violator was properly trained, relevant legislation, business contracts and other
factors as required. In serious cases of misconduct the process will allow for instant removal of duties,
access rights and privileges, and for immediate escorting out of the site, if necessary. The disciplinary
process will also be used as a deterrent to prevent users in violating Workforce Alliance security policies
and procedures, and any other security breaches.
Termination or change of employment
Responsibilities are in place by the Human Resources department and the IT Department of Workforce
Alliance to ensure a user’s exit from Workforce Alliance is managed, and that the return of all equipment
and the removal of all access rights are completed.
Workforce Alliance
IT Department Operational Procedure
34 | P a g e
Return of assets
The termination process are formalized to include the return of all previously issued software, corporate
documents, and computer equipment. Other Workforce Alliance assets such as mobile computing devices,
access cards, software, manuals, and information stored on electronic media also will need to be returned.
In cases where a user purchases the Workforce Alliance’s equipment or uses their own personal
equipment, procedures are followed to ensure that all relevant information is transferred to Workforce
Alliance.
Removal of access rights
Upon termination, the access rights of a user to assets associated with information systems and services are
reconsidered. This will determine whether it is necessary to remove access rights. Changes of employment
are reflected in removal of all access rights that were not approved for the new employment. The access
rights that are removed include physical and logical access, keys, identification cards, information
processing facilities, subscriptions, and removal from any documentation that identifies them as a current
member of Workforce Alliance. If a departing user has known passwords for accounts remaining active,
these are changed upon termination or change of employment, contract or agreement. Access rights for
information assets and information processing facilities are reduced or removed before the employment
terminates or changes, depending on the evaluation of risk factors such as:
a. whether the termination or change is initiated by the user, or by management and the reason of
termination;
b. the current responsibilities of the employee, contractor or any other user; and
c. the value of the assets currently accessible.
Workforce Alliance
IT Department Operational Procedure
35 | P a g e
Physical and Environmental Security and Breaches
Secure areas
Critical or sensitive information processing facilities are housed in secure areas, protected by defined
security perimeters, with appropriate security barriers and entry controls. They are physically protected
from unauthorized access, damage, and interference. The protection provided are commensurate with the
identified risks.
Physical security perimeter
The following are implemented where appropriate for physical security perimeters:
a. security perimeters are clearly defined, and the strength of each of the perimeters will depend on
the security requirements of the assets within the perimeter and the results of a risk assessment;
b. perimeters of a building or site containing information processing facilities are physically sound (i.e.
there are no gaps in the perimeter or areas where a break-in could easily occur); the external walls
of the site are of solid construction and all external doors are suitably protected against
unauthorized access with control mechanisms, e.g. computer racks, bars, alarms, locks etc; doors
and windows are locked when unattended;
c. access to server rooms, sites and buildings are restricted to authorized personnel only;
Physical entry controls
The following are implemented:
a. the date and time of entry and departure of visitors are recorded, and all visitors are supervised
unless their access has been previously approved;
b. they will only be granted access for specific, authorized purposes and are issued with instructions
on the security requirements of the area and on emergency procedures. access to areas where
sensitive information is processed or stored are controlled and restricted to authorized persons
only;
c. authentication controls, e.g. access control card plus PIN, are used to authorize and validate all
access;
d. an audit trail of all access are securely maintained;
e. all visitors are required to utilize some form identification to be
Computer Equipment security and breaches
Equipment are protected from physical and environmental threats. Protection of equipment (including that
used off-site, and the removal of property) is necessary to reduce the risk of unauthorized access to
information and to protect against loss or damage. This will also consider equipment placement and
disposal.
Equipment placement and protection
Equipment are placed to reduce the risks from environmental threats and hazards, and opportunities for
unauthorized access. The following are implemented to protect equipment:
a. equipment are placed to minimize unnecessary access into computer work areas;
Workforce Alliance
IT Department Operational Procedure
36 | P a g e
b. information processing facilities handling sensitive data are positioned and the viewing angle
restricted to reduce the risk of information being viewed by unauthorized persons during their use,
and storage facilities secured to avoid unauthorized access;
c. controls are adopted to minimize the risk of potential physical threats, e.g. theft, explosives, smoke,
water, dust, vibration, electrical supply interference, communications interference, and vandalism;
d. guidelines for eating, drinking, and smoking in proximity to information processing facilities are
established;
Supporting utilities
Computer equipment and peripherals are protected from power failures and other disruptions caused by
failures in supporting utilities. All supporting utilities, such as electricity, water supply, sewage,
heating/ventilation, and air conditioning are adequate for the systems they are supporting. Support utilities
are regularly inspected and as appropriate tested to ensure their proper functioning and to reduce any risk
from their malfunction or failure. A suitable electrical supply are provided that conforms to the equipment
manufacturer’s specifications. An uninterruptible power supply (UPS) to support orderly shut down or
continuous running of computer systems are used for equipment supporting critical business operations.
Power contingency plans will cover the action to be taken on failure of the UPS. UPS equipment are
regularly checked to ensure it has adequate capacity and is tested in accordance with the manufacturer’s
recommendations. The water supply are stable and adequate to supply air conditioning, humidification
equipment and fire suppression systems (where used).
Cabling security
a. Power and telecommunications cabling carrying data or supporting information services are
protected from interception or damage. The following are implemented for cabling security:
b. power cables are segregated from communications cables to prevent interference;
c. clearly identifiable cable and equipment markings are used to minimize handling errors, such as
accidental patching of wrong network cables; and a documented patch list are used to reduce the
possibility of errors.
Computer Equipment maintenance
Computer equipment are correctly maintained to ensure its continued availability and integrity.
The following are implemented for equipment maintenance:
a. equipment are maintained in accordance with the supplier’s recommended service intervals and
specifications;
b. only authorized maintenance personnel will carry out repairs and service equipment;
c. records are kept of all suspected or actual faults, and all preventive and corrective maintenance;
d. appropriate controls are implemented when computer equipment is scheduled for maintenance,
taking into account whether this maintenance is performed by personnel on site or external to
Workforce Alliance
Security of computer equipment off-premises
Security are applied to off-site equipment. Regardless of ownership, the use of any information processing
equipment outside Workforce Alliance’s premises will need to be authorized by management. The
following are implemented for the protection of offsite equipment:
a. equipment and media taken off the premises will not be left unattended in public places;
b. portable computers are carried as hand luggage when traveling;
c. manufacturers’ instructions for protecting equipment are observed at all times;
Workforce Alliance
IT Department Operational Procedure
37 | P a g e
d. home-working controls are determined by a risk assessment and suitable controls applied as
appropriate; and
e. adequate insurance cover are in place to protect equipment off-site.
Secure disposal or re-use of equipment
All computer related items containing storage media are checked to ensure that any sensitive data and
licensed software has been removed or securely overwritten prior to disposal. Devices containing sensitive
information are physically destroyed or the information are destroyed, deleted or overwritten using
techniques to make the original information non-retrievable rather than using the standard delete or format
function. Damaged devices containing sensitive data will require a risk assessment to determine whether
the items are physically destroyed rather than sent for repair or discarded.
Removal of property
Equipment, information or software will not be taken off-site without prior authorization. The following
are implemented:
a. equipment, information or software will not be taken off-site without prior authorization;
b. users who have authority to permit off-site removal of assets are clearly identified;
c. time limits for equipment removal are set and returns checked for compliance; and
d. equipment are recorded as being removed off-site and recorded when returned.
Documented operating procedures
Workforce Alliance computer operating procedures are documented, maintained, and made available to all
IT staff and located on the Workforce Alliance Intranet site and can be made available to users who need
them. Documented procedures are prepared for system activities associated with information processing
and communication facilities, such as computer start-up and close-down procedures, backup, equipment
maintenance, media handling, computer room and mail handling management, and safety. The operating
procedures will specify the instructions for the detailed execution of each job including:
a. processing and handling of information;
b. backup;
c. scheduling requirements, including interdependencies with other systems, earliest job start and
latest job completion times;
d. instructions for handling errors or other exceptional conditions, which might arise during job
execution, including restrictions on the use of system utilities;
e. support contacts in the event of unexpected operational or technical difficulties;
f. system restart and recovery procedures; and
g. the management of audit-trail and system log information.
Change management
Operational systems and application software are subject to strict change management control.
The following are implemented:
a. identification and recording of significant computer network changes;
b. planning and testing of changes;
c. assessment of the potential impacts, including security breach impacts, of such changes;
d. formal approval procedure for proposed changes;
e. communication of change details to all relevant persons;
f. fallback procedures, including procedures and responsibilities for aborting and recovering from
unsuccessful changes and unforeseen events.
Workforce Alliance
IT Department Operational Procedure
38 | P a g e
Formal computer management responsibilities and procedures are in place to ensure satisfactory control of
all changes to equipment, software or procedures. When changes are made, an audit log containing all
relevant information are retained. Changes to operational systems will only be made when there is a valid
business reason to do so, such as an increase in the risk to the system. Updating systems with the latest
versions of operating system or application is not always in the business interest as this could introduce
more vulnerabilities and instability than the current version. There may also be a need for additional
training, license costs, support, maintenance and administration overhead, and new hardware especially
during migration.
Separation of development systems from production systems
Development, test, and operational facilities are separated to reduce the risks of unauthorized access or
changes to the operational system. In particular, the following items are considered:
a. rules for the transfer of software from development to operational status are defined and
documented;
b. development and operational software will run on different systems or computer processors and in
different domains or directories;
c. compilers, editors, and other development tools or system utilities will not be accessible from
operational systems when not required;
d. the test system environment will emulate the operational system environment as closely as possible;
e. users will use different user profiles for operational and test systems, and menus will display
appropriate identification messages to reduce the risk of error; and
f. sensitive data will not be copied into the test system environment.
Third party service delivery management
The Workforce Alliance will check the implementation of agreements, monitor compliance with the
agreements and manage changes to ensure that the services delivered meet all requirements agreed with the
third party.
Service delivery
Workforce Alliance will ensure that the security controls, service definitions and delivery levels included in
the third party service delivery agreement are implemented, operated, and maintained by the third party.
Service delivery by a third party will include the agreed security arrangements, service definitions, and
aspects of service management. In case of outsourcing arrangements, Workforce Alliance will plan the
necessary transitions (of information, information processing facilities, and anything else that needs to be
moved), and will ensure that security is maintained throughout the transition period. The Workforce
Alliance IT Department will ensure that the third party maintains sufficient service capability together with
workable plans designed to ensure that agreed service continuity levels are maintained following major
service failures or disaster.
Monitoring and review of vendors or (third party services)
The services, reports and records provided by the third party are regularly monitored and reviewed, and
audits are carried out regularly. Monitoring and review of third party services will ensure that the
information security terms and conditions of the agreements are being adhered to, and that information
security incidents and problems are managed properly. This will involve a service management relationship
and process between Workforce Alliance and the third party to:
Workforce Alliance
IT Department Operational Procedure
39 | P a g e
a. monitor service performance levels to check adherence to the agreements;
b. review service reports produced by the third party and arrange regular progress meetings as
required by the agreements;
c. provide information about information security incidents and review of this information by the
third party and Workforce Alliance as required by the agreements and any supporting guidelines
and procedures;
d. review third party audit trails and records of security events, operational problems, failures, tracing
of faults and disruptions related to the service delivered; and
e. resolve and manage any identified problems.
System planning and acceptance
Advance planning and preparation are required to ensure the availability of adequate capacity and resources
to deliver the required system performance. Projections of future capacity requirements are made, to
reduce the risk of system overload. The operational requirements of new systems are established,
documented, and tested prior to their acceptance and use.
Capacity management
The use of resources are monitored, tuned, and projections made of future capacity requirements to ensure
the required system performance.
System acceptance
Acceptance criteria for new information systems, upgrades, and new versions are established and suitable
tests of the system(s) carried out during development and prior to acceptance. The IT Deparment will
ensure that the requirements and criteria for acceptance of new systems are clearly defined, agreed,
documented, and tested. New information systems, upgrades, and new versions will only be migrated into
production after obtaining formal acceptance. The following items are considered prior to formal
acceptance being provided:
a.
b.
c.
d.
e.
f.
g.
h.
i.
j.
k.
l.
performance and computer capacity requirements;
error recovery and restart procedures, and contingency plans;
preparation and testing of routine operating procedures to defined standards;
agreed set of security controls in place;
effective manual procedures;
business continuity arrangements;
evidence that installation of the new system will not adversely affect existing
systems, particularly at peak processing times, such as month end;
evidence that consideration has been given to the effect the new system has on the
overall security of Workforce Alliance;
training in the operation or use of new systems; and
ease of use, as this affects user performance and avoids human error.
Monitoring and Protection against malicious and code
Precautions are required to prevent and detect the introduction of malicious code. Software and
information processing facilities are vulnerable to the introduction of malicious code, such as computer
viruses, network worms, Trojan horses, and logic bombs. Users are made aware of the dangers of
malicious code. Managers will introduce controls to prevent, detect, and remove malicious code and
control mobile code.
Workforce Alliance
IT Department Operational Procedure
40 | P a g e
Controls against malicious code
Detection, prevention, and recovery controls to protect against malicious code and appropriate
hardware/software and user awareness are implemented. Protection against malicious code are based on
malicious code detection and repair software, security awareness, and appropriate system access and
change management controls. The following are implemented:
a. establishing a formal policy prohibiting the use of unauthorized software;
b. establishing a formal policy to protect against risks associated with obtaining files and software
either from or via external networks, or on any other medium, indicating what protective measures
are taken;
c. conducting regular reviews of the software and data content of systems supporting critical business
processes; the presence of any unapproved files or unauthorized amendments are formally
investigated;
d. installation and regular update of malicious code detection and repair software to scan computers
and media as a precautionary control, or on a routine basis; the checks carried out will include:
e. checking any files on electronic or optical media, and files received over networks, for malicious
code before use;
f. checking electronic mail attachments and downloads for malicious code before use; this check are
carried out at different places, e.g. at electronic mail servers, desk top computers and when entering
the network of Workforce Alliance; and checking web pages for malicious code;
g. defining management procedures and responsibilities to deal with malicious code protection on
systems, training in their use, reporting and recovering from malicious code attacks;
h. preparing appropriate business continuity plans for recovering from malicious code attacks,
including all necessary data and software back-up and recovery arrangements;
i. implementing procedures to regularly collect information, such as subscribing to mailing lists
and/or checking web sites giving information about new malicious code; and
j. implementing procedures to verify information relating to malicious code, and ensure that warning
bulletins are accurate and informative;
k. IT Department will ensure that qualified sources, e.g. reputable journals, reliable Internet sites or
suppliers producing software protecting against malicious code, are used to differentiate between
hoaxes and real malicious code; all users are made aware of the
l. problem of hoaxes and what to do on receipt of them.
Back-up
Routine procedures are established to implement the agreed back-up policy and strategy for taking back-up
copies of data and rehearsing their timely restoration.
Information back-up
Back-up copies of information and software are taken and tested regularly in accordance with the agreed
backup policy. Adequate back-up facilities are provided to ensure that all essential information and
software can be recovered following a disaster or media failure. The following items for information back
up are implemented:
a. the necessary level of back-up information are defined;
b. accurate and complete records of the back-up copies and documented restoration procedures are
produced;
c. the extent (e.g. full or differential backup) and frequency of backups will reflect the business
requirements of Workforce Alliance, the security requirements of the information involved, and
the criticality of the information to the continued operation of Workforce Alliance;
Workforce Alliance
IT Department Operational Procedure
41 | P a g e
d. the back-ups are stored in a remote location, at a sufficient distance to escape any damage from a
disaster at the main site;
e. back-up information are given an appropriate level of physical and environmental protection
consistent with the standards applied at the main site;
f. the controls applied to media at the main site are extended to cover the backup site;
g. back-up media are regularly tested to ensure that they can be relied upon for emergency use when
necessary;
h. restoration procedures are regularly checked and tested to ensure that they are effective and that
they can be completed within the time allotted in the operational procedures for recovery; and
i. in situations where confidentiality is of importance, back-ups are protected by means of encryption.
Network security management and Breaches
The secure management of networks, which may span Workforce Alliance boundaries, requires
careful consideration to dataflow, legal implications, monitoring, and protection. Additional controls may
also be required to protect sensitive information passing over public networks.
Network controls to protect against breaches
Networks are adequately managed and controlled, in order to be protected from threats, and to maintain
security for the systems and applications using the network, including information in transit. The Director
of Information Technology has implemented controls to ensure the security of information in networks,
and the protection of connected services from unauthorized access. In particular, the following items are
implemented:
a. special controls are established to safeguard the confidentiality and integrity of data passing over
public networks or over wireless networks;
b. appropriate logging and monitoring are applied to enable recording of security relevant actions; and
c. management activities are closely coordinated both to optimize the service to Workforce Alliance
and to ensure that controls are consistently applied across the information processing
infrastructure.
Security and breaches of network services
Network services include the provision of connections, private network services, and value added
networks and managed network security solutions such as firewalls and intrusion detection systems.
Security features, service levels, and management requirements of all network services are identified and
included in any network services agreement, whether these services are provided in-house or outsourced.
The ability of the network service provider to manage agreed services in a secure way are determined and
regularly monitored, and the right to audit are agreed. The security arrangements necessary for particular
services, such as security features, service levels, and management requirements, are identified. The
Workforce Alliance IT Department will ensure that network service providers implement these measures.
Media handling
Media are controlled and physically protected by the Workforce Alliance IT Department. Appropriate
operating procedures are established to protect documents, computer media (e.g. tapes, disks),
input/output data and system documentation from unauthorized disclosure, modification, removal, and
destruction.
Management of removable media
Workforce Alliance
IT Department Operational Procedure
42 | P a g e
Removable media include tapes, disks, flash disks, removable hard drives, CDs, DVDs, and printed media.
There are procedures in place for the management of removable media. The following is implemented for
the management of removable media:
a. if no longer required, the contents of any re-usable media are made unrecoverable;
b. authorization are required for media removed from Workforce Alliance and a record of such
removals are kept in order to maintain an audit trail; and
c. all media are stored in a safe, secure environment, in accordance with manufacturers’ specifications;
Disposal of media to prevent security breaches
Formal procedures for the secure disposal of media will minimize the risk of sensitive information leakage
to unauthorized persons. The procedures for secure disposal of media containing sensitive information are
commensurate with the sensitivity of that information. The following items are implemented:
a. media containing sensitive information are stored and disposed of securely and safely;
b. procedures are in place to identify the items that might require secure disposal; and
c. disposal of sensitive items are logged in order to maintain an audit trail.
Security of system documentation
System documentation are protected against unauthorized access. To secure system documentation, the
following items are implemented:
a. system documentation are stored securely; and
b. the access list for system documentation are kept to a minimum and authorized by the IT Director.
Electronic messaging and breaches
Information involved in electronic messaging are appropriately protected. Security hardware/software and
user considerations for electronic messaging will include the following:
a. protecting messages from unauthorized access, modification or denial of service;
b. ensuring correct addressing and transportation of the message;
c. general reliability and availability of the service;
d. legal considerations, for example requirements for electronic signatures;
e. stronger levels of authentication controlling access from publicly accessible networks.
Business information systems and breaches
Policies and procedures are implemented to protect information associated with the interconnection of
business information systems. Consideration given to the security and business implications of
interconnecting such facilities will include:
a. known vulnerabilities in the administrative and accounting systems where information is shared
between different parts of Workforce Alliance business systems;
b. vulnerabilities of information in business communication systems, e.g. recording phone calls or
conference calls, confidentiality of calls, storage of facsimiles, opening mail, distribution of mail;
c. policy and appropriate controls to manage information sharing;
d. excluding categories of sensitive business information and classified documents if the system does
not provide an appropriate level of protection;
e. restricting access to diary information relating to selected individuals, e.g. personnel working on
sensitive projects;
f. categories of personnel, contractors or business partners allowed to use the system and the
locations from which it may be accessed;
g. restricting selected facilities to specific categories of user;
Workforce Alliance
IT Department Operational Procedure
43 | P a g e
h. retention and back-up of information held on the system; and
i. fallback requirements and arrangements.
Electronic commerce services (on-line trasactions)
The security implications associated with using electronic commerce services, including on-line
transactions, and the requirements for controls, and are implemented
Electronic commerce (i.e., Workforce Alliance Summits)
Information involved in electronic commerce passing over public networks are protected from fraudulent
activity, contract dispute, and unauthorized disclosure and modification. Security considerations for
electronic commerce will include the following:
a. the level of confidence each party requires in each others claimed identity, e.g. through
authentication;
b. authorization processes associated with who may set prices, issue or sign key trading documents;
c. ensuring that trading partners are fully informed of their authorizations;
d. determining and meeting requirements for confidentiality, integrity, proof of dispatch and receipt
of key documents, and the non-repudiation of contracts, e.g. associated with tendering and
contract processes;
e. the confidentiality of any sensitive data or information;
f. the confidentiality and integrity of any order transactions, payment information, delivery address
details, and confirmation of receipts;
Workforce Alliance Finance On-Line Transactions Security and Breaches
Information involved in on-line transactions are protected to prevent incomplete transmission, routing,
unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.
Security considerations for on-line transactions include the following:
a. the use of electronic signatures by each of the parties involved in the transaction;
b. all aspects of the transaction, i.e. ensuring that user credentials of all parties are valid and verified;
c. the transaction remains confidential; and privacy associated with all parties involved is retained;
d. communications path between all involved parties is encrypted;
e. protocols used to communicate between all involved parties is secured;
f. ensuring that the storage of the transaction details are located outside of any public accessible
environment, e.g. on a storage platform existing on the Workforce Alliance’s Intranet, and not
retained and exposed on a storage medium directly accessible from the Internet; and
g. where a trusted authority is used (e.g. for the purposes of issuing and maintaining digital signatures
and/or digital certificates) security is integrated and embedded throughout the entire end-to-end
certificate/signature management process.
Publicly available information (Workforce Alliance website)
The integrity of information being made available on a publicly available system are protected to prevent
unauthorized modification. Software, data, and other information requiring a high level of integrity, being
made available on a publicly available system, are protected by appropriate mechanisms, e.g. digital
signatures. The publicly accessible system are tested against weaknesses and failures prior to information
being made available. There are a formal approval process before information is made publicly available. In
addition, all input provided from the outside to the system are verified and approved. Electronic publishing
systems, especially those that permit feedback and direct entering of information, are carefully controlled
so that:
Workforce Alliance
IT Department Operational Procedure
44 | P a g e
a. information is obtained in compliance with any data protection legislation;
b. information input to, and processed by, the publishing system are processed completely and
accurately in a timely manner;
c. sensitive information are protected during collection, processing, and storage; and
d. access to the publishing system does not allow unintended access to networks to which the system
is connected.
Monitoring of Information systems and breaches
Systems are monitored and information security events are recorded. Operator logs and fault logging are
used to ensure information system problems are identified daily. Workforce Alliance IT staff comply with
all relevant legal requirements applicable to its monitoring and logging activities. System monitoring are
used to check the effectiveness of controls adopted and to verify conformity to an access policy model.
Audit logging for Information System breaches
Audit logs recording user activities, exceptions, and information security events are produced and kept for
an agreed period to assist in future investigations and access control monitoring. Audit logs will include,
when relevant:
a. user IDs;
b. dates, times, and details of key events, e.g. log-on and log-off;
c. terminal identity or location;
d. records of successful and rejected system access attempts;
e. records of successful and rejected data and other resource access attempts;
f. changes to system configuration;
g. use of privileges;
h. use of system utilities and applications;
i. files accessed and the kind of access;
j. network addresses and protocols;
k. alarms raised by the access control system; and
l. activation and de-activation of protection systems, such as anti-virus systems and intrusion
detection systems.
Monitoring system use
Procedures for monitoring use of information processing facilities are established and the results of the
monitoring activities reviewed regularly. The level of monitoring required for individual facilities are
determined by a risk assessment. Workforce Alliance IT Department will comply with all relevant legal
requirements applicable to its monitoring activities.
Areas that are implemented include:
a. authorized access, including detail such as: the user ID;
b. the date and time of key events;
c. the types of events;
d. the files accessed;
e. the program/utilities used;
f. all privileged operations, such as:
g. use of privileged accounts, e.g. supervisor, root, administrator;
Workforce Alliance
IT Department Operational Procedure
45 | P a g e
h.
i.
j.
k.
l.
m.
n.
o.
p.
q.
r.
s.
system start-up and stop;
I/O device attachment/detachment;
unauthorized access attempts, such as: failed or rejected user actions;
failed or rejected actions involving data and other resources;
access policy violations and notifications for network gateways and firewalls;
alerts from proprietary intrusion detection systems;
system alerts or failures such as:
console alerts or messages;
system log exceptions;
network management alarms;
alarms raised by the access control system;
changes to, or attempts to change, system security settings and controls.
How often the results of monitoring activities are reviewed will depend on the risks involved. Risk factors
that are considered include the:
a. criticality of the application processes;
b. value, sensitivity, and criticality of the information involved;
c. past experience of system infiltration and misuse, and the frequency of vulnerabilities being
exploited;
d. extent of system interconnection (particularly public networks); and
e. logging facility being de-activated.
Protection of historical log information
Logging facilities and log information are protected against tampering and unauthorized access. Controls
will protect against unauthorized changes and operational problems with the logging facility including:
a. alterations to the message types that are recorded;
b. log files being edited or deleted; and
c. storage capacity of the log file media being exceeded, resulting in either the failure to record events
or over-writing of past recorded events.
Administrator and operator logs
System administrator and system operator activities are logged. Logs will include:
a. the time at which an event (success or failure) occurred;
b. information about the event (e.g. files handled) or failure (e.g. error occurred and corrective action
taken);
c. which account and which administrator or operator was involved; and which processes were
involved.
Fault logging
Faults reported by users or by system programs related to problems with information processing or
communications systems are logged. There are clear rules for handling reported faults including:
a. review of fault logs to ensure that faults have been satisfactorily resolved; and
b. review of corrective measures to ensure that controls have not been compromised, and that the
action taken is fully authorized.
Clock synchronization
The correct setting of computer clocks is important to ensure the accuracy of audit logs, which may be
required for investigations or as evidence in legal or disciplinary cases. Inaccurate audit logs may hinder
Workforce Alliance
IT Department Operational Procedure
46 | P a g e
such investigations and damage the credibility of such evidence. Therefore, where a computer or
communications device has the capability to operate a real-time clock, this clock are set to an agreed
standard. As some clocks are known to drift with time, there are a procedure that checks for and corrects
any significant variation. The correct interpretation of the date/time format is important to ensure that the
timestamp reflects the real date/time. Local specifics (e.g. daylight savings) are taken into account.
Access Control
Business requirement for access control
Access to information, information processing facilities, and business processes are controlled on the basis
of business and security requirements. Access control rules will take account of policies for information
dissemination and authorization.
Access control policy
An access control policy are established, documented, and reviewed based on business and security
requirements for access. Access control rules and rights for each user or group of users are clearly stated in
an access control policy. Access controls are both logical and physical and these are considered together.
Users and service providers are given a clear statement of the business requirements to be met by access
controls. The policy will include the following:
a. security requirements of individual business applications;
b. identification of all information related to the business applications and the risks the information is
facing;
c. policies for information dissemination and authorization, e.g. the need to know principle and
security levels and classification of information;
d. consistency between the access control and information classification policies of different systems
and networks;
e. relevant legislation and any contractual obligations regarding protection of access to data or
services;
f. standard user access profiles for common job roles in Workforce Alliance;
g. management of access rights in a distributed and networked environment which recognizes all
types of connections available;
h. segregation of access control roles, e.g. access request, access authorization, access administration;
i. requirements for formal authorization of access requests;
j. requirements for periodic review of access controls; and
k. removal of access rights.
User access management and monitoring of breaches
Formal procedures are in place to control the allocation of access rights to information systems and
services. The procedures will cover all stages in the life-cycle of user access, from the initial registration of
new users to the final de-registration of users who no longer require access to information systems and
services. In addition, audit logs are created 24/7 in the event of a security breach.
User registration regular monitoring
Workforce Alliance
IT Department Operational Procedure
47 | P a g e
There are a formal user registration and de-registration procedure in place for granting and revoking access
to all information systems and services. The access control procedure for user registration and deregistration will include:
a. using unique user IDs to enable users to be linked to and held responsible for their actions;
b. the use of group IDs will only be permitted where they are necessary for business or operational
reasons, and are approved and documented;
c. checking that the user has authorization from the system owner for the use of the information
system or service;
d. checking that the level of access granted is appropriate to the business purpose and is consistent
with Workforce Alliance security policy;
e. giving users a written statement of their access rights;
f. requiring users to sign statements indicating that they understand the conditions of access;
g. ensuring service providers do not provide access until authorization procedures have been
completed;
h. maintaining a formal record of all persons registered to use the service;
i. immediately removing or blocking access rights of users who have changed roles or jobs or left
Workforce Alliance;
j. periodically checking for, and removing / blocking, redundant user IDs and accounts; and
k. ensuring that redundant user IDs are not issued to users.
Privilege management
The allocation and use of privileges are restricted and controlled. Multi-user systems that require protection
against unauthorized access will have the allocation of privileges controlled through a formal authorization
process. The following steps are implemented:
a. the access privileges associated with each computer system are identified by;
b. privileges are allocated to users on a need-to-use basis in line with the access control policy i.e. the
minimum requirement for their functional role only when needed; and
c. an authorization process and a record of all privileges allocated are maintained. Privileges will not
be granted until the authorization process is complete.
Workforce Alliance
IT Department Operational Procedure
48 | P a g e
Information Security Incident Management
Reporting information security events and weaknesses
Formal event reporting and escalation procedures are in place. All users are made aware of the procedures
for reporting the different types of event and weakness that might have an impact on the security of
Workforce Alliance assets through email, Workforce Alliance Intranet and training. They are required to
report any information security events and weaknesses as quickly as possible to the designated point of
contact.
Reporting information system security events
Information security events are reported through appropriate management channels as quickly as possible.
A formal information security event together with an incident response and escalation procedure, setting
out the action to be taken on receipt of a report of an information security event. A point of contact are
established for the reporting of information security events. It are ensured that this point of contact is
known throughout Workforce Alliance, is always available and is able to provide adequate and timely
response. All users are made aware of their responsibility to report any information security events as
quickly as possible. They will also be aware of the procedure for reporting information security events and
the point of contact. The reporting procedures will include:
a. suitable feedback processes to ensure that those reporting information security events are notified
of results after the issue has been dealt with and closed;
b. information security event reporting forms to support the reporting action, and to help the person
reporting to remember all necessary actions in case of an information security event;
c. the correct behaviour to be undertaken in case of an information security event, i.e. noting all
important details (e.g. type of non-compliance or breach, occurring malfunction, messages on the
screen, strange behaviour) immediately;
d. not carrying out any own action, but immediately reporting to the point of contact;
e. reference to an established formal disciplinary process for dealing with users who commit security
breaches. Examples of information security events and incidents are:
f. loss of service, equipment or facilities, system malfunctions or overloads, human errors, noncompliances with policies or guidelines, breaches of physical security arrangements, uncontrolled
system changes, malfunctions of software or hardware, and access violations.
Reporting security weaknesses
All users of information systems and services are required to note and report any observed or suspected
security weaknesses in systems or services. All users will report these matters either to their management or
directly to their service provider as quickly as possible in order to prevent information security incidents.
Workforce Alliance
IT Department Operational Procedure
49 | P a g e
The reporting mechanism will be as easy, accessible, and available as possible. They are informed that they
will not, in any circumstances, attempt to prove a suspected weakness.
Management of information security incidents and improvements
Responsibilities and procedures are in place to handle information security events and weaknesses
effectively once they have been reported. A process of continual improvement are applied to the response
to, monitoring, evaluating, and overall management of information security incidents. Where evidence is
required, it is collected to ensure compliance with legal requirements.
Responsibilities and procedures for information system breaches
Management responsibilities and procedures are established to ensure a quick, effective, and orderly
response to information security incidents. In addition to reporting of information security events and
weaknesses, the monitoring of systems, alerts, and vulnerabilities are used to detect information security
incidents. The following guidelines for information security incident management procedures are
considered:
a. procedures are established to handle different types of information security incident, including:
b. information system failures and loss of service;
c. malicious code;
d. denial of service;
e. errors resulting from incomplete or inaccurate business data;
f. breaches of confidentiality and integrity;
g. misuse of information systems;
h. in addition to normal contingency plans, the procedures will also cover: analysis and identification
of the cause of the incident;
i. containment;
j. planning and implementation of corrective action to prevent recurrence, if necessary;
k. iv. communication with those affected by or involved with recovery from the incident;
l. reporting the action to the appropriate authority;
m. audit trails and similar evidence are collected and secured, as appropriate, for:
n. internal problem analysis;
o. use as forensic evidence in relation to a potential breach of contract or regulatory requirement or in
the event of civil or criminal proceedings, e.g. under computer misuse or data protection
legislation;
p. negotiating for compensation from software and service suppliers;
q. action to recover from security breaches and correct system failures are carefully and ormally
controlled; the procedures will ensure that:
r. only clearly identified and authorized personnel are allowed access to live systems and data;
s. ii. all emergency actions taken are documented in detail;
t. iii. emergency action is reported to management and reviewed in an orderly manner;
u. iv. the integrity of business systems and controls is confirmed with minimal delay.
v. The objectives for information security incident management are agreed with management, and it
are ensured that those responsible for information security incident management understand
Workforce Alliance’s priorities for handling information security incidents.
Workforce Alliance
IT Department Operational Procedure
50 | P a g e
Workforce Alliance
IT Department Operational Procedure
51 | P a g e