Purpose & Rationale
10 This policy serves as the highest-level statement on Cybersecurity in WHO. The security of information and associated systems and networks is a critical business requirement of WHO.
11 Cybersecurity is the protection of information assets from threats to WHO’s operations, reputation, business continuity, and user identity data. The adoption of best-practice Cybersecurity will reduce Organizational risk.
12 WHO processes and stores information for public and limited/restricted access, which must be readily available and properly protected through modern Cybersecurity practices.
13 This policy establishes the ongoing preservation of best practices security pillars:
- Integrity – safeguarding accuracy and completeness of information and processing methods;
- Availability – ensuring authorized users have access to information/assets; and
- Confidentiality – ensuring information is accessible only to authorized users.
14 This policy outlines the protection of WHO’s information and technology assets from all threats internal and external; deliberate and accidental.
15 Responsibility for corporate privacy and Cybersecurity is every WHO user’s duty.
Scope
16 All WHO information assets capable of connecting to the WHO network.
17 All users at all WHO locations that access and/or use a WHO owned or issued device connected to the WHO network.
18 All staff members, interns, consultants, contractors, visitors or other parties (users) who are provided access to non-public WHO information systems and assets.
Out of Scope
19 PAHO, IARC, UNAIDS, and hosted partnerships information assets not capable of connecting to the WHO network.
Support Documentation
20 Documentation defining the rules & standards, procedures, and technology standards shall provide additional detail. These documents are routinely updated to take into account changes in technology and risk.
21 This policy is an overarching document which shall be read in conjunction with the following documents as and when applicable:
- Rules & Standards
- Definitions
- Standard Operation Procedures
- Technology standards
Policy
Information Security Management
22 All users accessing WHO’s information assets shall protect the confidentiality, integrity, and availability of those assets.
23 All users shall strive to protect information to guard against reputational damage to WHO.
24 Information assets must only be used for their intended business purpose(s) according to WHO’s
Access and Password Management Rules.
Network Security Management
25 WHO staff within the respective role shall ensure appropriate network security for WHO IT systems, in accordance with the
Network Security Rule.
Email
26 Electronic email is pervasively used at WHO and is often the primary communication and awareness method within the organization. At the same time, misuse of email can post many legal, privacy and security risks, thus it’s important for staff and non-staff to understand the appropriate use of Email. Staff and non-staff operating on behalf of WHO must follow the
Email Security Rule.
Incident Management
27 WHO shall ensure timely and accurate identification, containment, and remediation of Cybersecurity incidents, in accordance with the
Cybersecurity Incident Management Rule. Cybersecurity incident management allows timely and accurate identification, containment, and remediation of Cybersecurity incidents.
Encryption
28 WHO data in transit via any network shall be encrypted. The
Encryption Rule details case types and procedures.
Risk Assessment
29 Computing solutions shall follow the
Solution Risk Assessment Rule. The risk assessment is initiated by the user, considered and cleared/rejected by the Information Technology Leadership Team (ITLT), and (if cleared by ITLT) is considered and approved/deferred/rejected by the Information Technology Steering Committee(ITSC).
30 Cybersecurity risks and requirements shall be considered at the earliest possible stage of defining requirements for the procurement of IT solutions, and at every lifecycle stage thereafter.
Business Continuity
31 Business continuity plans shall be included by the IT solution staff owner in any IT-related solution to support the Organization during high-impact incidents.
32 Business continuity plans will be developed by the IT solution staff owner, maintained, and periodically simulated.
Governance
33 The Office of the CIO provides clearance for Cybersecurity policy, rules & standards, procedures, and technology standards.
Communication
34 All updates and/or changes to the Global Cybersecurity Policy shall be communicated to staff via Information Note on a timely basis. This policy will undergo review on an annual basis.
Roles and Responsibilities
35 The WHO Chief Information Security Officer (CISO) is responsible for the coordination of the Cybersecurity program throughout the Organization, the implementation of Cybersecurity policy, and reporting non-compliance issues to WHO senior leadership.
37 All supervisors are directly responsible for implementing the policy and ensuring staff compliance in their respective departments.
38 The Cybersecurity team is responsible for proactive monitoring detecting of security breaches and investigating all actual and/or suspected information system security breaches.
39 Physical security teams shall coordinate with the Cybersecurity team to secure information processing facilities against unauthorized access, damage, and interference.
Ethics
40 All users must respect the legitimate interests of the Organization. Ethical and acceptable use of information, and associated systems and networks, must be respected and strictly maintained by all users according to the policies set in section XIV of the WHO eManual, and the WHO policies and practices for
Ethical Principles and Conduct of Staff.
Exceptions
41 Exceptions to the requirements of this policy may exist:
- Any deviation from cybersecurity policies shall be documented and submitted for review to the Cybersecurity team.
- Exceptions will be undertaken by the Office of the CIO and documentation of approval will be retained.
- If the exception request involves a high or very high risk, as identified by the CISO and/or CIO, clearance should be sought from the Risk Committee.
- Exceptions will be of fixed time and limited duration.
Compliance
42 Any matter of concern relating to this policy should be reported to the Global Service Desk or the appropriate authority responsible for administering this policy in the WHO location involved; such as the CIO in WHO HQ, the Regional IT Manager in regional offices, the Regional DAF, and the WR in country offices, who will investigate the allegations and refer them to the relevant WHO authorities.
43 For staff members, interns, consultants, contractors, visitors, or other parties (users), failure to comply with this policy may result in various measures being taken against the individual or entity concerned, including ongoing compliance measures, removal of access or, for serious cases, termination of contract or initiation of legal proceedings. For staff members, such failure may result also in disciplinary proceedings being initiated, which could ultimately result in a disciplinary measure up to and including dismissal in accordance with WHO Staff Regulations and Rules.