Cybersecurity Policy cover

Cybersecurity Policy

Cyber Security Policy and Guidelines: Department of Education

Principles

The Department of Physical Education has established regulations for the usage, maintenance, and protection of information assets appropriate to its operational characteristics. Such maintenance and protection are aimed at ensuring cybersecurity, driven by three core principles to uphold Confidentiality, Integrity, and Availability (CIA Triad) as follows:

  • Confidentiality means preventing assets from being accessed by unauthorized persons. Access also includes unauthorized disclosure and distribution of such assets. Therefore, maintaining confidentiality requires both physical and technical controls. Unauthorized individuals must not be able to access the assets. Furthermore, assets must be clearly classified with defined levels of protection requirements, enabling asset holders to handle them properly and appropriately according to their respective classification levels.

  • Integrity means preventing assets from being altered or modified, whether intentionally or unintentionally, by unauthorized persons. Consequently, controls and protection must encompass the definition of modification rights and access rights, supplemented by verification through both technical means and asset inventory audits.

  • Availability means ensuring that authorized users can access and utilize the assets whenever needed, encompassing both physical and technological aspects. For instance, the electronic mail (E-mail) service must remain operational at all times; when a user needs to send or receive an email, the system must be fully capable of serving that request continuously.

Operational Policies

  1. The Department of Physical Education shall conduct a risk assessment at least once a year, and every time a significant change occurs. Such risk assessments shall thoroughly consider the internal context, external context, interested parties, vision, mission, significant changes in the cybersecurity landscape, risks, and international standards.

  2. The Department of Physical Education shall define acceptable and unacceptable risk criteria to serve as a guideline for managing risks identified during the risk assessment process.

  3. The Department of Physical Education shall arrange a policy review at least once a year, or upon any significant changes.

  4. The Department of Physical Education shall establish a Cyber Threat Response Plan to effectively handle and respond to cybersecurity incidents.

  5. The Department of Physical Education shall evaluate the efficacy of the enacted policies to continually update the policies and strategic plans, ensuring alignment with current and emerging cyber threats.

  6. The Department of Physical Education shall allocate adequate resources—including budget, personnel, and technology management—to effectively support the organization’s security management.

Cybersecurity Structure for the Organization

The Department of Physical Education establishes measures to control, govern, and monitor the performance of cybersecurity duties across various internal divisions. These measures also serve as guidelines for regulating information technology equipment and external operations in compliance with the Information and Cyber Security Policy, which is divided into 2 parts:

1. Internal Organization

The Department of Physical Education shall define roles, duties, and responsibilities to ensure the appropriate and cyber-secure utilization of information technology systems.

2. Computing Device and Teleworking Policy

To maintain cybersecurity for computing devices and operations conducted from outside the organization.

Human Resource Security Policy

The Department of Physical Education shall implement appropriate processes for screening, training, and monitoring the performance of personnel throughout the period of their employment. This ensures that personnel thoroughly understand their roles and responsibilities in safeguarding the information and information systems of the Department of Physical Education, taking into account the phases prior to employment, during employment, and upon change of position or termination of employment.

Asset Management

The Department of Physical Education shall identify its critical assets and define responsibilities to appropriately protect such assets from potential threats, vulnerabilities, intruders, theft, and damages. This consists of:

  • 1. Asset Management Policy: The Department of Physical Education shall identify its critical assets and define responsibilities for their appropriate protection.

  • 2. Information Classification Policy: To ensure that information receives an appropriate level of protection in accordance with its importance and value to the Department of Physical Education.

  • 3. Media Handling Policy: To prevent unauthorized disclosure, modification, erasure, or destruction of information assets.

Access Control

The Department of Physical Education implements access control policies to restrict information system access solely to authorized users, thereby preventing the disclosure or theft of information and computing equipment, and ensuring secure operations. This consists of:

  • 1. Information System Access and Usage Control Policy: The Department of Physical Education defines rules and controls for data access and information system usage, protecting data and information from unauthorized access.

  • 2. Operating System Access Control Policy: To maintain security and prevent unauthorized access to operating systems.

  • 3. Application and Information Access Control Policy: The Department of Physical Education defines rules to control and restrict access to applications and information from unauthorized users.

Cryptography

The Department of Physical Education establishes a policy to guide data encryption practices. This ensures that information systems effectively maintain data confidentiality, perform user authentication, and efficiently prevent unauthorized data modification through appropriate cryptographic means.

Physical and Environmental Security Policy

The Department of Physical Education establishes controls, preventative measures, and security standards regarding physical access to buildings, facilities, and information system operational areas. These measures are determined based on the criticality of the information technology equipment and the sensitivity of data assets that require confidentiality. This policy shall be strictly binding upon all internal users and external service providers (third-party vendors).