Introduction
The objective of information security is to provide management direction and support for information security in accordance with My Office Live Community’s business requirements and administering laws and regulations. Information security policies are approved by the management, published, and communicated to all employees and relevant external parties. These policies will set out My Office Live Community’s approach to managing information security and will align with relevant state-wide policies.
Information security will be coordinated across different parts of the My Office Live Community with relevant roles and job functions. Information security responsibilities will be clearly defined and communicated. Security of My Office Live Community’s information assets and information technology that are accessed, processed, communicated to, or managed by external parties will be maintained.
Information security policies will be reviewed at planned intervals annually or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. Each policy will have an owner who has approved management responsibility for the development, review, and evaluation of the policy. Reviews will include assessing opportunities for improvement of My Office Live Community’s information security policies and approach to managing information security in response to changes to My Office Live Community’s environment, new threats and risks, business circumstances, legal and policy implications, and technical environment.
Physical Security
The objective of physical and environmental security is to prevent unauthorized physical access, damage, theft, compromise, and interference to My Office Live Community’s information and facilities. Locations housing critical or sensitive information or information assets will be secured with appropriate security barriers and entry controls. They will be physically protected from unauthorized access, damage, and interference. Secure areas will be protected by appropriate security entry controls to ensure that only authorized personnel are allowed access. Security will be applied to off-site equipment. All equipment containing storage media will be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal in compliance with statewide policies.
Server Security
Password-based authentication is vulnerable to a brute-force attack. So, password-based authentication is disabled to our production servers. Instead, public-private key pair is generated on the accessing machines and placed in the appropriate place in the servers. As such, the servers are accessible from these particular machines only. Also, database servers can be accessed only from application servers.
Access Control
Access to information, information systems, information processing facilities, and business processes will be controlled on the basis of business and security requirements. Formal procedures will be developed and implemented to control access rights to information, information systems, and services to prevent unauthorized access. Users will be made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords. Users will be made aware of their responsibilities to ensure unattended equipment has appropriate protection. A clear desk policy for papers and removable storage devices and a clear screen policy will be implemented, especially in work areas accessible by the public. Steps will be taken to restrict access to operating systems to authorized users. Protection will be required commensurate with the risks when using mobile computing and teleworking facilities.
- All cloud servers will be locked from password access and only be allowed through digital certificates.
- Digital certification for production access will be changed from time to time.
- Password for My Office Live Community admin interface will be changed every 3months.
Monitoring
My Office Live Community uses several monitoring services to make sure the servers and the environmont is secure. The services alert us via email for any abnormalities in our servers.
Compliance
The design, operation, use, and management of information and information assets are subject to statutory, regulatory, and contractual security requirements. Compliance with legal requirements is necessary to avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements. Legal requirements include, but are not limited to: state statute, statewide and My Office Live Community policy, regulations, contractual agreements, intellectual property rights, copyrights, and protection and privacy of personal information.
Controls will be established to maximize the effectiveness of the information systems audit process. During the audit process, controls will safeguard operational systems and tools to protect the integrity of the information and prevent misuse.