1. Introduction

 Alpha

The rapid development, widespread and increasing competition requires the creation of a unified system of information privacy in corporate networks based on scientific and methodological principles of information privacy, taking into account the modern development tendencies of network technologies, and via mutual coordination of legal, organizational, technical and physical security measures.

Referring to the provision of information privacy means the confidentiality, integrity and availability of information provide. Confidentiality of information is provided when the access to information is granted only to persons permitted, integrity – when the data is added agreed changes, availability - persons permitted access to necessary information resources at the very time.

In this sense, information privacy policy (hereinafter referred to as – Politics) determines vision system to provide problem of information privacy in ANAS corporative networks,explains aims, tasks, organizational, technological and procedure aspects of the information privacy in a systematic way.

2. Goals and objectives of the policy

 Goal

• minimization material and moral damages of the threats to information privacy to ANAS network and information resources;            
• enhance of ANAS business prestige;
• formation of unified principles for creation of information privacy system
• formation of relevant organizational-methodical base for creation, activity and development of information privacy system.

 The issues should be solved during creation of information privacy system:

• Determination of list of the potential threats to information security in ANAS corporate network, and threats analysis;
• Classification of information resources in ANAS corporate network;
• Identification of common requirements advanced in terms of information security for the information technologies applied in ANAS corporate network;
• Formation of demands related in information privacy system.

3. Sphere of influence

 This policy is applied to information resources, systems and networks belonged to Presidium of ANAS and all organizations, and whole ANAS employees who have access to applications in any form.

4. Responsible for information privacy

4.1  Accordance with the requirements of this policy is mandatory for all associates and people who use ANAS corporate network within signed contracts.

4.2  Key responsibility over information privacy lays on heads of the organizations, person who had formally appointed on Information privacy, directly is responsible for the implementation and management of this policy and related procedures.

4.3  Heads of structural units of the organizations are responsible for provide of permanent and temporary employees to be informed of the following:

• their information privacy policies that can be applied in the fields of activity;
• personal liability of employees on information privacy;
• the rules application for advice on information privacy issues.

4.4  All associates should carry out information privacy procedures including provide of data confidentiality and integrity. Otherwise, disciplinary action may be performed.

4.5  Heads of structural units of the organizations are responsible for physical safety of the information storage or processing environment in their areas.

4.6  Each associate is responsible for the safe operation of information systems used by.

4.7  Each user of the system should carry out safety demands specified in the relevant Policy, also should ensure a high level of protection of the confidentiality, integrity, availability of information.

4.8  Contracts that allow external users to enter information system of the organization should be come into force before. These contracts should guarantee for the fulfillment of the relevant privacy policy

5. Fundamentals of legislation 
   

Alpha

Legislative framework of this policy consists of the following laws and legal documents, as well as the international conventions joined by Republic of Azerbaijan:

• The Constitution of the Republic of Azerbaijan;
• Information, informatization and law of the Republic of Azerbaijan on information protection;
• Law on the State Secret of the Republic of Azerbaijan;
• Law on the Trade Secret of the Republic of Azerbaijan;
• Law on the Electronic signature and electronic document of the Republic of Azerbaijan;
• Law on the Electronic trade of the Republic of Azerbaijan;
• Law on the legal protection of Data collection of the Republic of Azerbaijan;
• Law on the Access to Information of the Republic of Azerbaijan;
• Law on the Freedom of information of the Republic of Azerbaijan;
• Law on the Mass media of the Republic of Azerbaijan;
• Law on the Telecommunication of the Republic of Azerbaijan;
• Criminal Code of the Republic of Azerbaijan;
• UNO Declaration of Human Rights.

6. Executive summary 
   

6.1 Management of information privacy 

• Responsibility for information privacy in the level of organization’s direction is laid on the first leader.
• Officially appointed officer on organization's information privacy is responsible for implementation, monitoring, documentation and delivery of security requirements to employees.

6.2 Awareness and background on Information privacy

• Awareness on Information privacy should be included in the official start of employees.
• Relevant awareness and training programmes should be determined in order to update employees’ information about information privacy in the necessary level.

6.3 Employment contracts

• Requirements on information privacy should be taken account while employment stage and item on confidentiality should be reflected in all relevant contracts.
• Employees’ tasks over information privacy should be included to the obligations of appropriate position.

6.4 Control over the privacy of assets 

• Each of Information privacy assets (hardware and software, application software, electronic documents, databases) should be defined the person responsible for the information privacy.

6.5 Access Control 

• Entrance to the rooms and premises where had located important information systems and information resources should be given to only the people whose permission has substantiated, approved and authorized.
• Access to information and computer facilities should be limited with authorized people.
• Access to data, system utilities and library programs should be controlled and be limited with authorized users, for example, the system or database administrators. 
  

6.6 Safety of equipment 

In order to minimize losses and damage, all of the assets and equipment should be protected from threats, as well as natural disasters.

6.7 Malware protection software 

In order to protect ANAS corporate network from malware, the software facilities and management procedures should be used. All employees are expected to support this policy in full. The users should not install software in the property of the organization without the permission of the network or system administrator. Disciplinary action may be performed against users who violate this requirement.

6.8 Information privacy events and the gaps 

Monitoring and Information Privacy Service of ANAS corporate network should be informed about information privacy events and disputed issues. Causes and effects of the event should be investigated in order to prevent future similar events.

6.9 Mobile communication carriers

The consent of the person responsible for information security is required for utilization of mobile communication carriers which stores software and data from external sources, or used in the all types of equipment. Before using the equipment of the organization is scanned via antivirus software. Disciplinary action may be performed against users who violate this requirement.

 6.10 Accreditation of Information systems 

Organizations should provide the new information technologies, software and networks to have safety plans, and the assertion of these plans by responsible person on information privacy before they had operated.

(Creation a number of system-level Privacy Policies by organizations for attached systems is supported, here, the goal is to implement the relevant differences between theoretical viewpoint of safety management and demands for each system. In this way, direct obligations may be assigned to those who use the system.)

 6.11 Control over changes in the system

 Information systems, application software or network changes should be agreed in advance with Monitoring and Information Privacy Service.

 6.12 Restoration plans after non-stop action and disaster

 Organizations should estimate the impact of critical treats to application programs, systems and networks, and provide the elaboration of restoration plans after non-stop action and disaster.

 6.13 Report

 Monitoring and Information Privacy Service should inform the administration about the state of information privacy of ANAS corporate network via regular reports and presentations.

 6.14 Audit of Information privacy

 Periodically audit should be held in ANAS corporate network for verify and estimate the compliance of information privacy to provisions of this policy. Rules for conducting the audit shall be determined in a separate audit policy in ANAS corporate network.

 6.15 Access to information systems and use of monitoring 

• Audit records of the entries to information systems and use of information resources should be protected by employees and regularly considered.
• If there is any doubt about compliance with this policy, Monitoring and Information Privacy Service has the right to conduct research.

6.16    Survey on Information Privacy 

• Information Privacy Policy should be protected, overviewed and updated by Monitoring and Information Privacy Service.
• Used information technologies and the organization of services, information privacy continuously change, and it makes necessary to amend for ensure of information privacy. Because, compliance of the Policy with the relevant demands should be reviewed on a regular basis.
• Results of audit over information privacy may be a basis for the revision of certain provisions of the Policy and for necessary amendments. If necessary, changes and additions should be added to the Policy, when non-compliance had revealed with modern requirements in audit process.

For more information click to www.cert.az website