This information security policy defines the purpose, principles, objectives and basic rules for information security management.
This document also defines procedures to implement high level information security protections within the organization, including definitions, procedures, responsibilities and performance measures (metrics and reporting mechanisms).
This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily available to all users.
This policy defines the high level objectives and implementation instructions for the organization’s information security program. It includes the organization’s information security objectives and requirements; such objectives and requirements are to be referenced when setting detailed information security policy for other areas of the organization. This policy also defines management roles and responsibilities for the organization’s Information Security Management System (ISMS). Finally, this policy references all security controls implemented within the organization.
Within this document, the following definitions apply:
Confidentiality: a characteristic of information or information systems in which such information or systems are only available to authorized entities.
Integrity: a characteristic of information or information systems in which such information or systems may only be changed by authorized entities, and in an approved manner.
Availability: a characteristic of information or information systems in which such information or systems can be accessed by authorized entities whenever needed.
Information Security: the act of preserving the confidentiality, integrity, and, availability of information and information systems.
Information Security Management System (ISMS): the overall management process that includes the planning, implementation, maintenance, review, and, improvement of information security.
Data Center Security Policy
Disaster Recovery Policy
Remote Access Policy
Removable Media/Cloud Storage/BYOD Policy
Risk Assessment Policy
Security Incident Response Policy
Software Development Lifecycle Policy
System Availability Policy
Workstation Security Policy
Managing Information Security
The organization’s main objectives for information security include the following:
[list the reasons/objectives for maintaining information security at the organization. Examples include a better market image, reduced risk of data breaches and compromises, and compliance with legal, regulatory, and contractual requirements.]
The organization’s objectives for information security are in line with the organization’s business objectives, strategy, and plans.
Objectives for individual security controls or groups of controls are proposed by the company management team, including but not limited to [list key roles inside the organization that will participate in information security matters], and others as appointed by the CEO; these security controls are approved by the CEO in accordance with the Risk Assessment Policy (Reference (a)).
All objectives must be reviewed at least once per year.
i. The company will measure the fulfillment of all objectives. The measurement will be performed at least once per year. The results must be analyzed, evaluated, and reported to the management team.
Information Security Requirements
This policy and the entire information security program must be compliant with legal and regulatory requirements as well as with contractual obligations relevant to the organization.
All employees, contractors, and other individuals subject to the organization’s information security policy must read and acknowledge all information security policies.
The process of selecting information security controls and safeguards for the organization is defined in Reference (a).
The organization prescribes guidelines for remote workers as part of the Remote Access Policy (reference (b)).
To counter the risk of unauthorized access, the organization maintains a Data Center Security Policy (reference (c)).
Security requirements for the software development life cycle, including system development, acquisition and maintenance are defined in the Software Development Lifecycle Policy (reference (d)).
Security requirements for handling information security incidents are defined in the Security Incident Response Policy (reference (e)).
Disaster recovery and business continuity management policy is defined in the Disaster Recovery Policy (reference (f)).
Requirements for information system availability and redundancy are defined in the System Availability Policy (reference (g)).