G E N E R A L S E C R E T A R I A T
ADMINISTRATIVE MEMORANDUM NO. 90
I. PURPOSE AND SCOPE
1. The Purpose of this Administrative Memorandum is to set out the Information Systems Security Policy of the General Secretariat of the Organization of American States ("GS/OAS").
2. The Scope of the GS/OAS' Information Systems Security Policy includes the confidentiality, integrity, and availability of information obtained, created or maintained by the GS/OAS. It covers both accidental and intentional disclosure of, or damage to, GS/OAS information, and it is applicable to all the data at all levels of sensitivity, whether maintained in-house or under contract. The Policy applies to all installations and GS/OAS employees. Through contractual agreement, it also applies to all service bureaus and other independent contractors performing services for the GS/OAS.
1. Custodian: The custodian is responsible for the processing and storage of the information. For some applications, the Department of Management Systems and Information Technology is the custodian; for other applications, the owner or user may retain custodial responsibilities.
2. Data Security Manager: The Data Security Manager, appointed by the Assistant Secretary for Management, shall normally be the Director of the Department of Management Systems and Information Technology. The Data Security Manager shall oversee the implementation of the Data Security program for the General Secretariat.
3. Dependencies of the General Secretariat: This term connotes Executive Secretariats, Departments, Units, and Offices of the General Secretariat directed by staff members at the P-5 level and above.
4. Information Systems Security: This is the process by which the confidentiality, integrity, and availability of systems' data for authorized users is protected and assured.
5. Owner: The owner of a collection of information is the person responsible for assuring that collection of information achieves the purposes for which it was created or acquired by GS/OAS. The Owner is normally the person who created or acquired the information system for GS/OAS. Where appropriate, ownership may be shared by managers of different dependencies of the General Secretariat.
6. User: The user is any person who has been authorized to read, enter or update information by the owner of the information.
1. In the absence of sufficient security, GS/OAS' information systems may not be used to their full potential. Furthermore, lack of confidence in its information systems impedes GS/OAS' ability to provide requested services or to develop programs and activities.
2. GS/OAS relies on the proper functioning of its information systems, and the security of those systems must be maintained in an effective and consistent manner. A system of internal controls must exist to safeguard those systems. Information must be processed in a secure environment and all employees must share the responsibility for the confidentiality, integrity, and availability of information.
The following security principles shall be observed by all staff members and independent contractors managing or otherwise using the General Secretariat's information systems:
1. Access Control: Sensitive data must be protected from unauthorized disclosure, modification, or destruction. Data and system owners, together with the Custodian and Data Security Manager, are responsible, for assuring adequate access control for their sensitive resources.
2. Accountability: Actions taken on computer systems or networks at the GS/OAS must be associated with an individual for accountability purposes. Systems and networks must adequately log activity and report violations of security policy in a manner that permits investigation and correction of violations.
3. Continuity: The continuity of critical operations for the GS/OAS must be assured through the development and testing of a Continuity Plan. This plan must reflect the GS/OAS' needs and demonstrate adequate recovery of functions in the event of a disaster that makes existing systems unavailable.
4. Data Sensitivity: All data owned or managed by GS/OAS must be evaluated according to the data sensitivity standard published by the Data Security Manager. Sensitive data must be protected in a manner that is appropriate to its value to the GS/OAS.
5. Security Review: All control mechanisms and procedures are subject to independent review to validate their correct operation and adherence to policies.
6. Ownership: Information processed by a computerized system must have an identified owner, and this assignment must be formally documented.
1. Owner: The owner of the information has the authority and responsibility to:
2. Custodian: The custodian is responsible for the administration of controls as specified by the owner. This includes:
3. User: A user of information has the responsibility to:
4. The Data Security Manager: The Data Security Manager has the responsibility to:
1. Failure of GS/OAS staff members to observe the principles or to comply with the corresponding responsibilities set out in this Administrative Memorandum, as well as failure to observe standards, procedures, or guidelines established and duly published pursuant to this Administrative Memorandum, shall be considered a violation of the "administrative provisions of the General Secretariat" within the meaning of Staff Rule 101.3 and may constitute grounds for application of a disciplinary measure under Chapters X and XI of the Staff Rules, including dismissal from service, as well as grounds for the recovery of the resulting financial damages incurred by the General Secretariat.
2. Failure of independent contractors to observe the principles or to comply with the corresponding responsibilities set out in this Administrative Memorandum as well as their failure to observe standards, procedures, or guidelines established and duly published pursuant to this Administrative Memorandum, shall be grounds for termination for cause under the corresponding contract, and the independent contractor shall be liable for any damages incurred by the General Secretariat as a result of such nonobservance.
3. Independent Contractors having access to GS/OAS information systems shall be provided a copy of this Administrative Memorandum, together with copies of standards, procedures, and guidelines issued pursuant hereto, by the dependency of the General Secretariat which issues their contract. The Data Security Manager shall be responsible for supervising and ensuring compliance with this requirement.
4. All such instances of nonobservance of this Administrative Memorandum and standards, procedures, or guidelines issued pursuant hereto, shall be reported to the Assistant Secretary for Management for the appropriate action.
This Administrative Memorandum supersedes any contrary provision, regulation, or practice of the General Secretariat.
This Administrative Memorandum shall enter into force on the date it is signed.
Date: November 30,1998