1 Information security requirements

A clear definition of the requirements for information security within Saphetor will be agreed and maintained with the internal business so that all ISMS activity is focussed on the fulfillment of those requirements. Statutory, regulatory and contractual requirements will also be documented and input to the planning process. Specific requirements about the security of new or changed systems or services will be captured as part of the design stage of each project.

It is a fundamental principle of the Saphetor Information Security Management System that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings and briefing documents.

2 Framework for setting objectives

A regular cycle will be used for the setting of objectives for information security, to coincide with the budget planning cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the business requirements, informed by the management review process during which the views of relevant interested parties may be obtained.

Information security objectives will be documented for an agreed time period, together with details of how they will be achieved. These will be evaluated and monitored as part of management reviews to ensure that they remain valid. If amendments are required, these will be managed through the change management process.

In accordance with ISO/IEC 27001 the reference controls detailed in Annex A of the standard will be adopted where appropriate by Saphetor. These will be reviewed on a regular basis in the light of the outcome from risk assessments and in line with information security risk treatment plans.

In addition, enhanced and additional controls from the following codes of practice will be adopted and implemented where appropriate:

  • ISO/IEC 27002 – Code of practice for information security controls

The adoption of these codes of practice will provide additional assurance to our customers and help further with our compliance with international data protection legislation.

3 Continual improvement of the ISMS

Saphetor policy regarding continual improvement is to:

  • Continually improve the effectiveness of the ISMS
  • Enhance current processes to bring them into line with good practice as defined within ISO/IEC 27001 and related standards
  • Achieve ISO/IEC 27001 certification and maintain it on an on-going basis
  • Increase the level of proactivity (and the stakeholder perception of proactivity) with regard to information security
  • Make information security processes and controls more measurable in order to provide a sound basis for informed decisions
  • Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data
  • Obtain ideas for improvement via regular meetings and other forms of communication with interested parties
  • Review ideas for improvement at regular management meetings in order to prioritise and assess timescales and benefits

Ideas for improvements may be obtained from any source including employees, customers, suppliers, IT staff, risk assessments and service reports. Once identified they will be recorded and evaluated as part of management reviews.

4 Information security policy areas

Saphetor defines policy in a wide variety of information security-related areas which are described in detail in a comprehensive set of policy documentation that accompanies this overarching information security policy.

Each of these policies is defined and agreed by one or more people with competence in the relevant area and, once formally approved, is communicated to an appropriate audience, both within and external to the organization.

The table below shows the individual policies within the documentation set and summarises each policy’s content and the target audience of interested parties.

POLICY TITLE AREAS ADDRESSED TARGET AUDIENCE

Internet Access Policy

Business use of the Internet, personal use of the Internet, Internet account management, security and monitoring and prohibited uses of the Internet service.

Users of the Internet service

Cloud Computing Policy

Due diligence, signup, setup, management and removal of cloud computing services.

Employees involved in the procurement and management of cloud services

Mobile Device Policy

Care and security of mobile devices such as laptops, tablets and smartphones, whether provided by the organization

Users of company-provided mobile devices

Remote working Policy

Information security considerations in establishing and running a teleworking site and arrangement e.g. physical security, insurance and equipment

Management and employees involved in setting up and maintaining a teleworking site

Access Control Policy

User registration and deregistration, provision of access rights, external access, access reviews, password policy, user responsibilities and system and application access control.

Employees involved in setting up and managing access control

Cryptographic Policy

Risk assessment, technique selection, deployment, testing and review of cryptography, and key management

Employees involved in setting up and managing the use of cryptographic technology and techniques

Physical Security Policy

Secure areas, paper and equipment security and equipment lifecycle management

All employees

Anti-Malware Policy

Firewalls, anti-virus, spam filtering, software installation and scanning, vulnerability management, user awareness training, threat monitoring and alerts, technical reviews and malware incident management.

Employees responsible for protecting the organization’s infrastructure from malware

Backup & Restore Policy

Backup cycles, cloud backups, off-site storage, documentation, recovery testing and protection of storage media

Employees responsible for designing and implementing backup regimes

Logging and Monitoring Policy

Settings for event collection. protection and review

Employees responsible for protecting the organization’s infrastructure from attacks

Software Policy

Purchasing software, software registration, installation and removal, in-house software development and use of software in the cloud.

All employees

Technical Vulnerability Management Policy

Vulnerability definition, sources of information, patches and updates, vulnerability assessment, hardening and awareness training.

Employees responsible for protecting the organization’s infrastructure from malware

Network Security Policy

Network security design, including network segregation, perimeter security, wireless networks and remote access; network security management, including roles and responsibilities, logging and monitoring and changes.

Employees responsible for designing, implementing and managing networks

Secure Development Policy

Business requirements specification, system design, development and testing and outsourced software development.

Employees responsible for designing, managing and writing code for bespoke software developments

Information Security Policy for supplier relationship

Due diligence, supplier agreements, monitoring and review of services, changes, disputes and end of contract.

 

IP and Copyright Compliance Policy

Protection of intellectual property, the law, penalties and software license compliance.

All employees

Data Retention Policy

Retention period for specific record types, use of cryptography, media selection, record retrieval, destruction and review.

Employees responsible for creation and management of records

Data Privacy Policy

Applicable data protection legislation, definitions and requirements.

Employees responsible for designing and managing systems using personal data

Clear Desk and Clear Screen Policy

Security of information shown on screens, printed out and held on removable media.

All employees

Social Media Policy

Guidelines for how social media should be used when representing the organization and when discussing issues relevant to the organization.

All employees

Acceptable Use Policy

Employee commitment to organizational information security policies

All employees

Asset Management Policy

This document sets out the rules for how assets must be managed from an information security perspective

All employees

Configuration Management Policy

The secure configuration of hardware, software, services and networks

Employees responsible for designing systems and managing service delivery

Data Leakage Prevention Policy

The configuration of relevant software tools to detect and prevent leakage of data

Employees responsible for designing systems and managing service delivery

Threat Intelligence Policy

The collection and use of threat intelligence at the strategic, tactical and operational levels

Employees responsible for protecting the organization’s infrastructure from attacks

Table 1: Set of policy documents

5 Application of information security policy

The policy statements made in this document and in the set of supporting policies listed in Table 1 have been reviewed and approved by the top management of Saphetor and must be complied with. Failure by an employee to comply with these policies may result in disciplinary action being taken in accordance with the organization’s Employee Disciplinary Process.