Security Policy

For
Anbell Telecommunications
 Adapting/Adhering To Legal Procedures

The following legal policy considerations should be review for incorporation into the
security policy of Anbell Telecommunications (Hereafter referred to as “The Company”).
The policies subsequently identified are examined with specific attention to the services
offered by The Company as an Internet Service Provider (ISP).

Legal Obligations Awareness

“The Human Resource Manager is responsible for ensuring that all employees are aware
of legal obligations that affect computer use, computer data, and information systems.
Individuals should be made aware of legal obligations that the company has to adhere to,
and be informed of their responsibilities as regards compliance with these obligations.
These requirements should be outlined in staff documentation such as Terms and
Conditions of Employment, and Organization Code of Conduct documents.”

Explanation

All individuals in the company must be held liable for any conduct that may result in
legal actions being taken on The Company. Furthermore, The Company must reserve the
right to execute legal action for any act that result in damage to, or loss on the part of The
Company.

ISO 17799 and BS 7799 References

6.1.4 Terms and conditions of employment

12.1.1 Identification of applicable legislation

Complying With Data Protection Act

“The Company intends to comply fully with the requirements of Data Protection
legislature in so far as it affects the immediate business of The Company.”

Explanation

As an internet service provider (ISP) The Company collects and stores a large quantity of
data on the users of its service. In addition, the information systems used by customers
(such as web hosting service and email server) may be used to store or transmit personal
information. The Company must therefore ensure the confidentiality of personal
information to protect The Company from susceptibility to legal action on the part of
customers as far as Jamaican law will permit.

The protection of personal information stored on Company systems also needs to be

balanced with making information available for law enforcement. Law enforcement
agencies may request information on customers for use in investigations of suspected
criminal activities, or prosecution of suspected criminals. The Company needs to ensure
that due process is followed in situations that may require disclosure of sensitive
information.

ISO 17799 and BS 7799 References

12.1.4 Data protection and privacy of personal information

Complying with Copyright and Patent Legislation

“The Human Resource Manager is responsible for preparing guidelines for staff members
which will make them aware of issues relating to Copyright and Patent Legislations of
Jamaica as they relate to their respective duties.”

Explanation

The protection of copyright is a global issue. Employees need to be aware of these

issues, and act in accordance with them. Guidelines should cover content posted on The
Company’s website and distributed using electronic mail services. The Company should
also examine the extent to which it is liable for content published by third parties on web
space hosted by The Company.

ISO 17799 and BS 7799 References

12.1.2 Intellectual property rights (IPR)

Complying with Database Copyright Information

“The Company must comply with legislation pertaining to information stored in

electronic and paper based database. The Human Resource Manager must ensure that all
employees are aware of important aspect of said legislation and work in compliance with
them. Employees should specifically be informed of requirements with respect to their
duties.”

Explanation

Information collected from other sources and stored in company databases must not
infringe on copyrights held by other agencies. The Company is also responsible for
ensuring that there are not ambiguities as regards access to, copying, and use of
information in Company databases.

ISO 17799 and BS 7799 References

12.1.2 Intellectual property rights (IPR)

Complying with Copyright and Software Licensing Legislation

“The Company must ensure that all software used on Company computers is properly
licensed and is being used in accordance with the license. It is the responsibility of the
Human Resource Manager to prepare guidelines for employees on important aspects of
Software Copyright and Licensing legislation.”

Explanation

The Company uses BSD (a proprietary UNIX operating system), Linux, and Microsoft
Windows Systems. The Linux operating system is provided with a GNU License which
allows individuals and organization to use, copy, distribute, and modify the operating
system. This, however, is not true of the BSD and Windows operating systems. The
Company must ensure that its use of software is in compliance with the respective End
User License Agreements (EULA.

ISO 17799 and BS 7799 References

12.1.2 Intellectual property rights (IPR)

Computer Misuse Policies

“The Company will implement computer use policies which all employees will be
required to comply with. The Human Resource Manager is responsible for ensuring that
all staff members are fully aware of these policies as they relate to their duties.”

Explanation

The Company provides all employees with computer access and internet services.
Customer service agents are permitted some degree of latitude as regards use so as to
offer comprehensive support for users of The Company’s internet services. However,
employees need to exercise discretion, and ensure that they do not engage in illegal
activities in fulfillment of the provision of support to users. Such activities include, but
are not limited to: viewing pornography, visiting sites promoting illegal computer access
activities (cracker sites), viewing material advocating terrorism or other sites that threaten
national security. The issue of terrorism is of special importance in light of Jamaica’s
conformance to international terrorism prevention legislation.

Employees must also exercise discretion as regards use of company property during and
after working hours.
ISO 17799 and BS 7799 References

12.1.5 Prevention of misuse of information processing facilities

Record Retention

“The Company will maintain as archive of records of business transactions and will
restrict access to such information. The information will however be made available in
event of legal proceedings filed against, or initiated by The Company.”

Explanation

Retention of record is a legal requirement of all businesses operating under Jamaican law.
The Company will retain records of business transactions in so far as this is required for
compliance with the law. When stored in electronic format, such records must be stored
in a secure format. The storage and use of such information must also comply with
privacy requirements.

ISO 17799 and BS 7799 References

12.1.3 Safeguarding of organization records

 References

RUSecure Policy Template Toolkit (2004)

Retrieved February 2004
from: www.iso17799software.com

Government of Canada Security Information Publication: Guide to Threat and Risk

Assessment for Information Technology (1994)
Retrieved February 2004
from: http://www.cse-cst.gc.ca/en/services/publications/itsg/MG-3.html