| CLASSIFICATION | REF | VERSION | DATE | OWNER | AUTHOR |
|---|---|---|---|---|---|
| INTERNAL | ACME-ISMS-POL-OO1-ISP | 0.1 | 22 DEC. 2024 | Acme Financial Institution | Aishat Alli |
| VERSION | DATE | REVISION AUTHORS | SUMMARY OF CHANGES |
|---|---|---|---|
| 0.1 | 18 DEC. 2024 | AISHAT ALLI | First draft of the Information Security Policy based on ISO 27002, NIST 800-171, PCI DSS and GDPR |
| 0.3 | |||
| 0.5 |
| NAME | TITLE | STATUS |
|---|
Information Security Policy implements strategies and rules to help Acme mitigate security vulnerabilities, ensuring the confidentiality, integrity and availability of the organization's assets. The policy is developed in accordance with the requirements of ISO 27002:2022, the Payment Card Industry Data Security Standard (PCI DSS), the National Institute of Standards and Technology (NIST) and the General Data Protection Regulation (GDPR) guidelines.
The purpose of this policy is to establish and maintain a comprehensive framework for safeguarding Acme information assets. It aims to provide clear direction to people within the organization, to protect against potential threats.
The primary objectives of this policy are:
- To ensure adequacy, effectiveness of management direction and support for information security in accordance with business, legal, statutory, regulatory and contractual requirements
- To establish a defined, approved and understood structure for the implementation, operation and management of information security within the organization
- To ensure that appropriate flow of information takes place with respect to information security between the organization and relevant legal, regulatory and supervisory authorities.
- To provide awareness of the organization’s threat environment so that the appropriate mitigation actions can be taken
- To set the tone for securing the entire organization’s assets and inform employees of their expected duties related to protecting those assets.
This policy applies to all Acme assets including information systems, digital assets, physical assets and human assets including but not limited to employees, contractors, consultants, temporary workers, and third-party partners.
Acme top management shall be responsible for the following:
- Approve the security policies that set out Acme's approach to managing its information security.
- Evaluate the implementation of information security policies and procedures within the organization.
- Provide necessary resources and support for the implementation of the security policies
- Ensure that sufficient funding/budget are allocated for Information Security controls and practices on an annual basis.
- Require all personnel to apply information security in accordance with the Acme’s information security policy, topic-specific policies and procedures.
- Top management shall ensure that the responsibilities and authorities for roles relevant to information security are defined, allocated and communicated according to the organization needs.
The IT Security representative shall:
- Develop and oversee the implementation of information security policies within the organization.
- Ensure that the policy is communicated to employees and interested parties in a form that is understandable and make them aware of their contributions to its effectiveness and the implications of not conforming with requirements.
- Provide security awareness training to all employees, and third parties to educate them about relevant information security policies, security best practices and their role in maintaining security.
- Ensure that appropriate measure is taken to not improperly disclose confidential information if the information security policy or any topic-specific policy is distributed outside the organization.
The Information Technology team shall:
- Appoint a representative who shall work with the IT Security team to ensure security controls are integrated into underlying and supporting technologies of Acme.
- Oversee the implementation of requirements of all information security related policies across the organization's IT infrastructure and systems, ensuring that security measures are integrated into IT processes and practices.
- Ensure that IT operations and practices align with applicable regulatory requirements and industry standards.
- Manage appropriate access provisioning and deprovisioning to individuals based on their responsibilities in relation to security policy.
- Carry out any other responsibilities as may be established in various topic-specific policies
- Define and provision roles to minimize access problems if a role is removed or reassigned.
The HR team shall be responsible for the following:
- Organize the process for security awareness training and orientation programs for new employees, ensuring that they understand their role in maintaining security.
- Develop process for onboarding and offboarding employees for appropriate provisioning and deprovisioning of user accounts and responsibilities by IT in relation to security policy.
- Establish clear processes for handling deviations and exceptions for information security policy within the organization.
- Oversee clearance and background check processes for employees and contractors to conform with information security policy
Employees, contractors and third party of Acme shall:
- Adhere to the information security policy and conform to its requirements.
- Continuously ensure the protection of the Acme’s information against unauthorized access, modification, destruction or disclosure
- Treat information in an ethical and confidential manner, in compliance with current policies on information security of the company.
- Identify, report, and seek guidance from management and /or the cybersecurity chapter on suspected deviations from this policy.
- An incident response team shall be designated to investigate and respond to security incidents.
- Procedures for reporting and escalating security incidents shall be established and communicated to all employees to specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) to be contacted.
- Data owners shall ensure that sensitive data, both in transit and at rest, are encrypted using industry-standard encryption methods.
- Acme’s top management shall provide sufficient direction and support for the implementation of an effective Information Security Management Systems according to the requirements of applicable standards, laws and regulations.
- Acme’s management shall provide clear direction to integrate information security risk related projects and deliverables into the organization’s project and ensure that they are effectively addressed in project management throughout the project life cycle.
- IT security team shall review the information security policy at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. The review of the information security policy shall take the results of management reviews and audits into account.
- IT security team shall periodically assess and review the security controls in the organization’ systems to determine if the controls are effective in their application.
- Data/Asset owners shall oversee and facilitate segregation of conflicting duties and areas of responsibility to reduce the risk of fraud, error and bypassing of information security controls.
- Top management shall, in line with the business strategy and risk, designate a team to maintain relevant contact with all stakeholders to its Information Security Management System (e.g. management, law enforcement, regulatory bodies, supervisory authorities etc.).
- IT security team shall collect and analyse Information relating to emerging threats to produce threat intelligence and facilitate informed actions to prevent the threats from causing harm to the organization.
Acme shall define policy in a wide variety of information security-related areas which are described in detail in a comprehensive set of policy documentation that accompanies this main information security policy. The following policies are relevant to this Information Security Policy and provide additional information about how it is applied:
- Access Control Policy: This policy shall establish the security requirements in controlling access to Acme sensitive information, network infrastructure and systems. It describes the mechanisms which shall be applied to assure a high level of security for its information assets, infrastructure and systems.
- Data Handling and Classification Policy: this policy sets out a set of rules created to monitor and manage the organization's data. The policy is a comprehensive plan used to categorize Acme’s stored information based on its sensitivity level, ensuring proper handling and lowering organizational risk. it ensures that information receives an appropriate level of protection in accordance with its importance to the organization.
- Acceptable use of Asset Policy: this document set of rules and guidelines which Acme shall follow using the organization's IT resources, including networks, devices, and software. It defines acceptable and prohibited behaviours, aiming to protect assets, ensure security, and maintain a productive work environment. Violations can lead to disciplinary actions.
- Endpoint Device and Remote Policy: Endpoint device policy is a document for supporting security measures that shall be adopted to manage the risks introduced by using mobile devices. Teleworking policy addresses the information security related best practices to be followed when adopting the teleworking model. it shall be implemented to protect information accessed, processed or stored at teleworking sites.
- Change Management Policy: This document sets out the organization’s policy for managing changes in a well communicated, planned and predictable manner that minimizes unplanned outages and unforeseen system issues.
- Information Security Third partnership policy: this is a policy that accounts for information security risks related to third-party relationships.
- Information Security Awareness Policy: This policy sets out ways of raising Acme’s consciousness regarding potential risks of the rapidly evolving forms of information and the rapid evolving threat to that information which targets human behaviour.
- Secure Development Policy: This policy sets out practices and procedures that Acme’s IT developers shall follow to mitigate the risk of security vulnerabilities in the development environment.
- Asset Management Policy: This policy sets out the main rules for the management of assets and is supported by more specific procedures which detail how these rules shall be implemented.
All employees are subject to follow the requirements here described unless an exception is identified and required by the same regulatory bodies Acme GROUP is subject to. Any exception or deviation to the information security policy and supporting directives must be based upon a unique legislative or business requirements. Requests for a policy exception shall be duly documented, related risk assessed and submitted to the Information Security representative before the waiver or exception may be implemented. All approved exceptions or deviations shall be recorded and managed in the risk register and reviewed on an annual basis.