README copy.md

Overview

This framework guides your organization to agree on well-defined objectives for strategy and security of information. A set of digital security policies aimed to help you improve your digital safety and resiliency, and also promote digital rights and privacy for all, in Jordan and around the globe.

Information security focuses on three main objectives:

• Confidentiality — considers proper authorization to access and use assets
• Integrity — considers data integrity and authenticity
• Availability — considers ease of access to information or systems when necessary

Grouped and categorized you will find a set of policies that you may use as a basis to develop your own tailored set of policies.

A Digital Security Policy or Policy in this context identifies the rules and procedures for all individuals accessing and using an organization's IT assets and resources. Effective security is ensured by deploying and enforcing of such policies in the workplace and for all employees.

Every Policy consists of four different sections:

• Objectives - what the policy aims to accomplish?
• Scope - who, what, and when this policy applies.
• Conditions - list of goals needed to accomplish our desired aims.
• Compliance Rules - list of responsibilities for compliance and actions to be taken in the event of noncompliance.

Free use disclaimer This policy was created by the Jordan Open Source Association (JOSA) for the Internet community.
All or parts of this framework can be freely used for your organization.
There is no prior approval required.

?> Looking to contribute? Read the contribution guide.

---

Revisions

Revision	Description	Date	Tag
1.11	The initial revision	07/03/2022	TID
1.22	The initial revision	20/04/2022	TID

---

Notation

To better reference policy components in this toolkit we use the following notation systems.

Policies

Every Policy is denoted as CXPY where:

• X is a number which denotes the category of the digital policy
• Y is a number which denotes the policy in that category

Conditions

Every Condition is denoted as CXPY.CZ where:

• X is a number which denotes the category of the digital policy
• Y is a number which denotes the policy in that category
• Z is a number which denotes the condition for that policy

Complience Rules

Every Complience Rule is denoted as CXPY.CRZ where:

• X is a number which denotes the category of the digital policy
• Y is a number which denotes the policy in that category
• Z is a number which denotes the condition rule for that policy

---

Policy Categories

C1 - Behavioral Security

• C1P1 - On-Boarding Policy
• C1P2 - Off-Boarding Policy
• C1P3 - Threat & Harassment Policy
• C1P4 - Social Engineering Awareness Policy
• C1P5 - Acceptable Use Policy

C2 - Physical Security

• C2P1 - Travel Policy
• C2P2 - BYOD Policy
• C2P3 - Clean Disk Policy
• C2P4 - Removable Media Policy

C3 - Account Security

• Account Management
  • C3P1 - Account Security Question Policy
  • C3P2 - Account Recovery Policy
  • C3P3 - Two-Factor Authentication Policy
• Passwords
  • C3P4 - Password Construction Policy
  • C3P5 - Password Recycling Policy
  • C3P6 - Password Managers Policy
• Social Media
  • C3P7 - Social Media Account Verification Policy
  • C3P8 - Social Media Authorities Policy

C4 - Software Security

• C3P1 - Browsers Policy
• C3P1 - Antivirus Policy
• C3P1 - VPN Policy
• C3P1 - Software Installation Policy

C5 - Communication Security

• General
  • C5P1 - Secure Communication Policy
• Email
  • C5P1 - Email Policy
  • C5P1 - Email Retention Policy

C6 - Data Security

• C6P1 - Data Accessibility Policy
• C6P2 - Database Access Policy
• C6P3 - Archiving Policy
• C6P4 - Data Retention Policy
• C6P5 - Disclosure Policy
• C6P6 - Information Logging Policy

C7 - Crises Operation

• C7P1 - Remote Access Policy
• C7P2 - Disaster Recovery Policy
• C7P3 - Pandemic Response Planning Policy
• C7P4 - Risk Assessment Policy