Information Security Policy
Information Security Policy formalizes the governance, structure, and framework for defining the objective of information security of the organization. Information Security Policy also sets out the key rules for the use of information, information technologies, and information systems by employees and other users of the organization (hereafter referred to as “the organization”).
Scope
The Information Security Policy establishes the main direction to enforce information security, additional documents (policy and procedure) will be defined for specific subjects.
This policy applies to protect below area:
IT Infrastructure of the organization (physical, virtual, and cloud)
All information owned, stored, or processed by the organization
Any person/entity who uses or administers data and information of the organization
This policy defines:
Protection means in terms of confidentiality, integrity, and availability of the information
Responsibilities for information security
Legal and contractual framework
The organization has to observe and respect below partners' engagements:
Risk-based and Continual improvement
The organization's information system is exposed to multiple threats. This policy aims at watching particularly below risks:
Data leakage – unauthorized access or public disclosure of confidential information
Particularly: customer information
Unavailability and underperformance – partial or total impossibility to deliver organizational service
Particularly: Atlassian APPs
In a less manner, customer support
The organization is monitoring its level of risk by making regular security assessments and re-evaluating current and identifying new types of risks.
Information Security principles
The organization's security principles are the following:
A comprehensive approach based on standards and risks for the organization and its users
Create a proportional response to the impact, aligned with organization objectives, international standards, and best practices
Continuous improvement of the effectivity and effectiveness
Strong awareness of employees
Maintain compliance with the legal framework
Key roles and responsibilities
Directors - top management
Infrastructure Team - management of IT production and infrastructure
Information Security Duty
Roles and responsibilities
Responsibility | Role |
|---|---|
validate the Information Security Policy | Directors |
validate the security master plan | Directors |
validate the security master plan | Directors |
acknowledging the yearly annual progresses | Directors |
daily monitoring of the compliance with the information security policy requirements | Information Security Duty |
providing assessment of information assets and their availability | Information Security Duty |
drafting internal information security policy documentation | Information Security Duty |
collecting information on information security incidents and monitoring responses to such incidents | Information Security Duty |
reporting on information security issues and other administrative/organizational activities | Information Security Duty |
organizing and conducting general and sectorial trainings on information security | Information Security Duty |
maintain the organization security aligned with law and normative act indicated in this policy | Information Security Duty |
daily monitoring and assessing computer and IT systems | Infrastructure team |
identifying and responding to computer and IT incidents | Infrastructure team |
providing analysis and reporting of computer and IT incidents and security measures | Infrastructure team |
respect all information security policy and enforce security procedures | Infrastructure team |
All employees and users of the information system
Information security is everyone's responsibility. All users of the organization's information system are concerned:
Permanent and temporary employees of the organization;
All persons who may be given access to information of the organization (partners, contractors, consultants, interns, etc.)
All users are obliged to comply with the policy requirements and take responsibility for the proper and thorough implementation of the best practice, particularly:
read and apply all information policy intended for them
keep themselves updated about security practices and policies
follow the mandatory training and awareness
Escalate to their manager and security team any suspicious activity or incident related to the information system as well as a potential security weakness
Information security policy by area
Access and Data management
Use of the organization's information system is restricted according to working needs. Access to confidential information is granted on a need-to-know based.
Vulnerability management
Vulnerability definition, sources of information, patches and updates, vulnerability assessment, hardening, and awareness training.
SDLC and Change management
Business requirements specification, system design, development, testing, and outsourced software development.
Incident management
The organization must identify expected security incidents and define control to detect them. The organization manages all security incidents in accordance with their criticality.
Business continuity and Disaster Recovery
This policy sets out the general principles that establish the approach toward resilience, availability, and continuity of processes, systems, and services. It defines requirements around business continuity, disaster recovery, and crisis management processes.