This framework guides your organization to agree on well-defined objectives for strategy and security of information. A set of digital security policies aimed to help you improve your digital safety and resiliency, and also promote digital rights and privacy for all, in Jordan and around the globe.

Information security focuses on three main objectives:

• Confidentiality — considers proper authorization to access and use assets
• Integrity — considers data integrity and identity authenticity
• Availability — considers ease of access to information or systems when necessary

Grouped and categorized you will find a set of policies that you may use as a basis to develop your own tailored set of policies.

A Digital Security Policy or Policy in this context identifies the rules and procedures for all individuals accessing and using an organization's IT assets and resources. Effective security is ensured by deploying and enforcing of such policies in the workplace and for all employees.

Every Policy consists of four different sections:

• Objectives - what the policy aims to accomplish?
• Scope - who, what, and when this policy applies.
• Goals - list of goals needed to accomplish our desired aims.
• Compliance - list of responsibilities for compliance and actions to be taken in the event of noncompliance.

Free use disclaimer This policy was created by the Jordan Open Source Association (JOSA) for the Internet community.
All or parts of this framework can be freely used for your organization.
There is no prior approval required.

?> Looking to contribute? Read the contribution guide.

The Jordan Open Source Association (JOSA) is a non-profit organization based in Amman, Jordan. The association is among few non-profit organizations registered with the Jordan Ministry of Digital Economy and Entrepreneurship.

JOSA’s mission is to promote open source principles for the good of Jordanian society. We believe that information that is non-personal – whether it’s software code, hardware design blueprints, data, network protocols and architecture, content – should be free for everyone to view, use, share, and modify. Our belief also holds that information that is personal should be protected within legal and technological frameworks. Access to the modern Web should likewise remain open.

To better reference policies in this document we used a simple notation system to help you out.

Every policy is denoted as x.y.z where:

• x is the category of the digital policy
• y is the the group of policies in that category
• z is the the number of that policy in that group

C1.2.3 P3.4.17

The standard digital policies vary depending on the security category they belong to.

The categories are as follows:

Physical security is what describes security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property from damage or harm[1].

Physical security systems for protected facilities are generally intended to:

• deter potential intruders.
• detect intrusions and monitor/record intruders.
• trigger appropriate incident responses.
• physical security can be affected by multiple procedures and standards,

this includes but is not limited to:

This policy aims to:

• Ensures the safety of the organization’s assets when subjected to remote reach.
• Ensures the occurrence of routine operations, assets, and risk management system
• Ensures you have the proper data backup and recovery plan needed.

This policy applies to:

• your employees
• any external contractors

?> 1.1.1 - Specific risks of a destination should be assessed in advance and adequate measures need to be in place in case of necessity. Otherwise, the travel should not be undertaken.

?> 1.1.2 - The organization will enable all employees and experts to prepare themselves by means of adequate instructions regarding travel safety and security.

?> 1.1.3 - For all business trips, all operational updates, and operations that occur with the employee or contracted individual should be sent to a separate document - accessed by only authorized and concerned parties- in case of emergencies. In this document all the trip’s updates, operations details will be stored.

• 1.1.4 - When a situation occurs abroad where staff or contracted individuals are not available, the organization’s ethical committee should be able to provide at short notice guidance or take a decision on the matter prioritizing action based on the gravity of the consequences.
• 1.1.5 - The information security offices will be responsible for monitoring the implementation of the Travel Security Policy and its regular review.
• 1.1.6 - All security incidents or near-incidents should be reported by the employee, the contracted individual, or their manager to the officer and the ethical committee. The Board will then discuss the follow-up and actions needed.

The purpose of this Travel Policy is to ensure the safety of the organization’s assets when subjected to remote reach. This policy covers all the procedures of personnel or contracted individuals and how it reflects on the organization’s routine operations, assets, and risk management system, and the recovery plan needed.

!> Compliance Measurement, the InfoSec team will verify compliance to this policy through various methods, including but not limited to, periodic check-ups and internal audits, and feedback.

Exceptions, any exception to the policy must be approved by the ethical committee or the board in advance.

• Non-Compliance, an employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

• Travel Policy

• BYOD Policy

• Threat and Harassment Policy

• On/Off Boarding Policy

• Clean Disk Policy

• Removable Media Policy

Social media security is specifically concerned with the protection of social platforms’ accounts, credentials, data, and personals. Attackers often use social media accounts during the reconnaissance phase of a social engineering or phishing attack. Social media can give attackers a platform to impersonate trusted people and is subjected to hacking, any type of compromisation, and/or data breach. Platforms such as but not limited to Facebook, Twitter, WhatsApp, Instagram, etc.

The purpose of a social media security strategy is to give people the ability to do what's needed without compromising security and by maintaining the “Least Priviledge” principle.

Social media security can be affected by multiple procedures and standards, this includes but is not limited to: