The policy defines OFT's security goals and sets the stage for OFT's security program. The policy does not contain specific details but rather was developed to be viewed as OFT's security constitution. The goal is to maintain consistency over time and reduce the number of changes. It is conceptual in nature and technology neutral.
Implementation details behind each security goal are not included in the policy: this would have made the document too long, unreadable, and would require constant updating. Rather, the implementation details are contained in standards and supporting procedures that are in the process of being issued.
Although the document is not very long it covers a lot of material including:
- Asset Classification - To adequately protect information OFT must understand how important and sensitive it is. All information must be classified for its confidentiality, integrity and availability.
- Risk Management and Risk Analysis - Outlines the information risk management program for OFT, including risk assessments for the Agency, new projects and for security testing of existing systems, such as vulnerability scanning.
- Business Use of Systems - This section will be further expanded in the User Responsibilities Policy, but it explains the "do's" and "don'ts" of using OFT's computing assets.
- System and Information Availability - Covers Disaster Recovery planning including back-up and recovery of systems. Integrity of Data Processing Environment - Discusses security measures over OFT's routine data processing activities.
- Protection of Information, Systems and Physical Infrastructure - This is one of the longer sections, discussing physical and logical access, audit logging, secure disposal of information and how to report security breaches.
- Implementation and Enhancements to Systems and Physical Infrastructure - Defines the need to include security requirements in the initial planning phases of any project.
- Virus and Malicious Software Prevention - Discusses standard topics surrounding computer viruses and worms, but also intellectual property rights, such as illegal coping of software.
- Privacy - Talks about the collection and maintenance of personal data.
- Change Management - Outlines the requirements for documentation, management and approval of changes to information, systems or physical infrastructure.
- Interconnectivity - Looks at how to secure information over networks, particularly the Internet. Restrictions over outside parties, such as vendors, connecting equipment to an OFT network are clearly defined.
- Roles and Responsibilities - Provides an outline of roles and key responsibilities for the OFT workforce.
