The rapid development, widespread and increasing competition requires the creation of a unified system of information privacy in corporate networks based on scientific and methodological principles of information privacy, taking into account the modern development tendencies of network technologies, and via mutual coordination of legal, organizational, technical and physical security measures.
Referring to the provision of information privacy means the confidentiality, integrity and availability of information provide. Confidentiality of information is provided when the access to information is granted only to persons permitted, integrity – when the data is added agreed changes, availability - persons permitted access to necessary information resources at the very time.
The issues should be solved during creation of information privacy system:
This policy is applied to information resources, systems and networks belonged to Presidium of ANAS and all organizations, and whole ANAS employees who have access to applications in any form.
4.1 Accordance with the requirements of this policy is mandatory for all associates and people who use ANAS corporate network within signed contracts.
4.2 Key responsibility over information privacy lays on heads of the organizations, person who had formally appointed on Information privacy, directly is responsible for the implementation and management of this policy and related procedures.
4.3 Heads of structural units of the organizations are responsible for provide of permanent and temporary employees to be informed of the following:
4.4 All associates should carry out information privacy procedures including provide of data confidentiality and integrity. Otherwise, disciplinary action may be performed.
4.5 Heads of structural units of the organizations are responsible for physical safety of the information storage or processing environment in their areas.
4.6 Each associate is responsible for the safe operation of information systems used by.
4.7 Each user of the system should carry out safety demands specified in the relevant Policy, also should ensure a high level of protection of the confidentiality, integrity, availability of information.
Legislative framework of this policy consists of the following laws and legal documents, as well as the international conventions joined by Republic of Azerbaijan:
6.1 Management of information privacy
6.2 Awareness and background on Information privacy
6.3 Employment contracts
6.4 Control over the privacy of assets
6.5 Access Control
6.6 Safety of equipment
In order to minimize losses and damage, all of the assets and equipment should be protected from threats, as well as natural disasters.
6.7 Malware protection software
In order to protect ANAS corporate network from malware, the software facilities and management procedures should be used. All employees are expected to support this policy in full. The users should not install software in the property of the organization without the permission of the network or system administrator. Disciplinary action may be performed against users who violate this requirement.
6.8 Information privacy events and the gaps
Monitoring and Information Privacy Service of ANAS corporate network should be informed about information privacy events and disputed issues. Causes and effects of the event should be investigated in order to prevent future similar events.
6.9 Mobile communication carriers
The consent of the person responsible for information security is required for utilization of mobile communication carriers which stores software and data from external sources, or used in the all types of equipment. Before using the equipment of the organization is scanned via antivirus software. Disciplinary action may be performed against users who violate this requirement.
6.10 Accreditation of Information systems
Organizations should provide the new information technologies, software and networks to have safety plans, and the assertion of these plans by responsible person on information privacy before they had operated.
(Creation a number of system-level Privacy Policies by organizations for attached systems is supported, here, the goal is to implement the relevant differences between theoretical viewpoint of safety management and demands for each system. In this way, direct obligations may be assigned to those who use the system.)
6.11 Control over changes in the system
Information systems, application software or network changes should be agreed in advance with Monitoring and Information Privacy Service.
6.12 Restoration plans after non-stop action and disaster
Organizations should estimate the impact of critical treats to application programs, systems and networks, and provide the elaboration of restoration plans after non-stop action and disaster.
Monitoring and Information Privacy Service should inform the administration about the state of information privacy of ANAS corporate network via regular reports and presentations.
6.14 Audit of Information privacy
Periodically audit should be held in ANAS corporate network for verify and estimate the compliance of information privacy to provisions of this policy. Rules for conducting the audit shall be determined in a separate audit policy in ANAS corporate network.
6.15 Access to information systems and use of monitoring
6.16 Survey on Information Privacy
For more information click to www.cert.az website