1 Policy Statement
To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, to ensure integrity, availability, and authenticity of its website and all information contained within. An organization’s website is its interface with the external world. Information contained within the website is deemed as authentic statements from the management of the organization. It is imperative to publish only authenticated content on the website and maintain its integrity and availability.
The purpose of the Website Security Policy is to establish rules for preserving the integrity, availability, and authenticity of XXX’s website.
3. 1 Employees
This applies to all permanent employees, contractual employees, trainees, privileged customers and all other visitors.
The Website Security Policy documentation shall consist of Website Security Policy and related procedures & guidelines.
3.3 Document Control
The Website Security Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purpose.
Records being generated as part of the Website Security Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.
3.5 Distribution and Maintenance
The Website Security Policy document shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the Website Security Policy document shall be with the CISO and website administrator.
The Website Security Policy document shall be considered as “confidential” and shall be made available to the concerned persons with proper access control. Subsequent changes and versions of this document shall be controlled.
The CISO / designated personnel and website administrator are responsible for proper implementation of the Website Security Policy.
Following are the policies defined for maintaining Security of the website:
- The website shall be developed and maintained as per relevant guidelines of Govt. of Kuwait
- User registration for secured access to the website shall be required when i) a web application or internal link requires user identification before processing, or ii) accessed data has been classified as “sensitive” and requires further authorization.
- To facilitate site management, information shall be collected for statistical purposes. XXX shall employ software programs to compile summary usage statistics, which may be used for assessing what information is relevant to users. The data so accumulated may be used to help determine technical design specifications, identify system performance, or pinpoint problem areas.
- Except for authorized security investigations and data collection, no attempts shall be made to identify individual users or their usage habits. Accumulated data logs will be scheduled for regular deletion in accordance with schedules set by the web administrators.
- Unauthorized attempts to upload information or change website information are strictly prohibited, and may be punishable under relevant cyber laws.
- Access to sensitive or proprietary business information on the websites shall be limited to employees, customers, clients and vendors who have been determined to have an appropriate business reason for having access to such data. All registered website users, who are granted security access, will be identified by a user name (referred to as the User ID). All actions performed with a User ID will be the responsibility of the ID’s registered owner.
- Individuals who are granted password access to restricted information on the website are prohibited from sharing those passwords with, or divulging those passwords to, any third parties. User will notify XXX immediately in the event a User ID or password is lost or stolen or if user believes that a non-authorized individual has discovered the User ID or password.
- XXX’s records shall be final and conclusive in all questions concerning whether or not a specific User ID or password was used in connection with a particular action.
- Any data or document upload to social networking sites shall be duly authorized by the competent authority and shall be done by designated persons authorized to do so.
Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.
If you need assistance or have any doubt and need to ask any question contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.