1. Introduction
Our company is committed to protecting the confidentiality, integrity, and availability of our information assets, including the personal and confidential information of our customers and employees. This policy sets out the requirements for the secure handling, storage, and processing of company and customer data, and outlines the measures that we have implemented to mitigate cybersecurity risks.
2. Information Security Roles and Responsibilities
Information security is the responsibility of all employees, contractors, and third-party service providers. The Chief Information Security Officer (CISO) is responsible for overseeing the implementation and maintenance of the company’s information security
program, and for ensuring that all employees are aware of their responsibilities with respect to information security.
3. Information Classification
All company and customer information must be classified based on its sensitivity and importance, and appropriate measures must be implemented to protect it. The following classification levels should be used:
- Public Information: information that is intended for public consumption and does not require any special protection
- Internal Information: information that is intended for use by the company’s employees and is not intended for public disclosure
- Confidential Information: information that is intended for use within the company and is not intended for public disclosure, including personal and financial information of customers and employees
4. Access Control
Access to company and customer information must be restricted to authorized personnel only, and appropriate measures must be implemented to ensure that access is granted on a need-to-know basis.
The following access control measures should be implemented:
- User authentication: all users must be authenticated before being granted access to the company’s information systems
- User authorization: access to specific information assets should be granted based on the user’s job function and need-to-know
- Password management: all users must be required to create strong passwords that are changed regularly, and multi-factor authentication should be used where possible
- User account management: all user accounts should be reviewed regularly to ensure that access rights are appropriate and up-to-date
- Third-party access: access by third-party service providers must be strictly controlled and monitored
5. Information Security Controls
The following information security controls must be implemented to protect the company’s information assets:
- Encryption: all sensitive information must be encrypted in transit and at rest
- Firewalls: firewalls must be used to restrict access to the company’s information systems and to prevent unauthorized access
- Intrusion detection and prevention: intrusion detection and prevention systems must be used to detect and prevent unauthorized access attempts
- Patch management: all software and hardware must be kept up-to-date with the latest security patches and updates
- Antivirus software: all systems must be protected by antivirus software that is kept up-todate
- Incident response: an incident response plan must be in place to ensure that all security incidents are handled appropriately
6. Acceptable Use
All employees, contractors, and third-party service providers must use company information systems and assets in an acceptable manner, in accordance with the company’s Acceptable Use Policy. This includes:
- Prohibiting the use of company assets for personal gain
- Prohibiting the unauthorized sharing of confidential information
- Prohibiting the use of company assets for illegal or unethical purposes
- Prohibiting the installation of unauthorized software or hardware on company systems
- Requiring that all company assets be used in accordance with applicable laws and regulations
7. Training and Awareness
All employees, contractors, and third-party service providers must be provided with appropriate training and awareness programs to ensure that they are aware of their responsibilities with respect to information security. This should include regular security awareness training and phishing simulation exercises to test and improve the knowledge and awareness of all users.
8. Compliance and Monitoring
The company is committed to complying with all applicable laws, regulations, and industry standards related to cybersecurity and information security. The CISO will be responsible for monitoring compliance with this policy and for conducting regular security assessments to identify and mitigate any potential cybersecurity risks.
9. Reporting and Incident Management
All employees, contractors, and third-party service providers must report any suspected security incidents or breaches to the CISO as soon as possible. The company will follow established incident management procedures to ensure that all incidents are investigated promptly, and that appropriate corrective and preventative measures are taken.
10. Review and Update
This policy will be reviewed and updated regularly to ensure that it remains relevant and effective in the face of evolving cybersecurity threats and regulatory requirements. Any changes to this policy will be communicated to all employees, contractors, and third-party service providers in a timely and effective manner.
By following this policy, our company is committed to ensuring the confidentiality, integrity, and availability of our information assets, and to maintaining the trust and confidence of our customers and stakeholders.