Information Security Policy

Owned by Alex Zhebryakov
Jun 23, 2023
3 min read

Information Security Policy formalizes the governance, structure, and framework for defining the objective of information security of the organization. Information Security Policy also sets out the key rules for the use of information, information technologies, and information systems by employees and other users of the organization (hereafter referred to as “the organization”).

Scope

The Information Security Policy establishes the main direction to enforce information security, additional documents (policy and procedure) will be defined for specific subjects.

This policy applies to protect below area:

  • IT Infrastructure of the organization (physical, virtual, and cloud)

  • All information owned, stored, or processed by the organization

  • Any person/entity who uses or administers data and information of the organization

This policy defines:

  • Protection means in terms of confidentiality, integrity, and availability of the information

  • Responsibilities for information security

Legal and contractual framework

The organization has to observe and respect below partners' engagements:

Risk-based and Continual improvement

The organization's information system is exposed to multiple threats. This policy aims at watching particularly below risks:

  • Data leakage – unauthorized access or public disclosure of confidential information

    • Particularly: customer information

  • Unavailability and underperformance – partial or total impossibility to deliver organizational service

    • Particularly: Atlassian APPs

    • In a less manner, customer support

The organization is monitoring its level of risk by making regular security assessments and re-evaluating current and identifying new types of risks.

Information Security principles

The organization's security principles are the following:

  • A comprehensive approach based on standards and risks for the organization and its users

  • Create a proportional response to the impact, aligned with organization objectives, international standards, and best practices

  • Continuous improvement of the effectivity and effectiveness

  • Strong awareness of employees

  • Maintain compliance with the legal framework

Key roles and responsibilities

  1. Directors - top management

  2. Infrastructure Team - management of IT production and infrastructure

  3. Information Security Duty

Roles and responsibilities

Responsibility

Role

Responsibility

Role

validate the Information Security Policy

Directors

validate the security master plan

Directors

validate the security master plan

Directors

acknowledging the yearly annual progresses

Directors

daily monitoring of the compliance with the information security policy requirements

Information Security Duty

providing assessment of information assets and their availability

Information Security Duty

drafting internal information security policy documentation

Information Security Duty

collecting information on information security incidents and monitoring responses to such incidents

Information Security Duty

reporting on information security issues and other administrative/organizational activities

Information Security Duty

organizing and conducting general and sectorial trainings on information security

Information Security Duty

maintain the organization security aligned with law and normative act indicated in this policy

Information Security Duty

daily monitoring and assessing computer and IT systems

Infrastructure team

identifying and responding to computer and IT incidents

Infrastructure team

providing analysis and reporting of computer and IT incidents and security measures

Infrastructure team

respect all information security policy and enforce security procedures

Infrastructure team

All employees and users of the information system

Information security is everyone's responsibility. All users of the organization's information system are concerned:

  • Permanent and temporary employees of the organization;

  • All persons who may be given access to information of the organization (partners, contractors, consultants, interns, etc.)

All users are obliged to comply with the policy requirements and take responsibility for the proper and thorough implementation of the best practice, particularly:

  • read and apply all information policy intended for them

  • keep themselves updated about security practices and policies

  • follow the mandatory training and awareness

  • Escalate to their manager and security team any suspicious activity or incident related to the information system as well as a potential security weakness

Information security policy by area

Access and Data management

Use of the organization's information system is restricted according to working needs. Access to confidential information is granted on a need-to-know based.

Vulnerability management

Vulnerability definition, sources of information, patches and updates, vulnerability assessment, hardening, and awareness training.

SDLC and Change management

Business requirements specification, system design, development, testing, and outsourced software development.

Incident management

The organization must identify expected security incidents and define control to detect them. The organization manages all security incidents in accordance with their criticality.

Business continuity and Disaster Recovery

This policy sets out the general principles that establish the approach toward resilience, availability, and continuity of processes, systems, and services. It defines requirements around business continuity, disaster recovery, and crisis management processes.