• Information Security Policy (ISP)

Information Security Policy (ISP)

  1. Introduction
  2. Purpose
  3. Scope
  4. Roles, Responsibilities, and Authorities
    1. Security Organization Management
    2. Roles and Responsibilities
  5. Identification and Authentication
  6. Handling of Incidents and IT Requests
  7. Change Management
  8. Risk Management

1 Introduction

According to standard definitions, an Information Security Policy is a set of rules enacted by an organization to ensure that all users or networks of the IT structure within the organization’s domain abide by the prescriptions regarding the security of data stored digitally within the boundaries the organization stretches its authority. Attaining this goal involves setting up an Information Security Policy for the organization and ensuring its adherence. This policy should cover things like acceptable uses of technology, risk reviews at a senior level, operational security procedures, and other general administrative tasks.

An ISP is governing the protection of information, which is an asset the organization needs to protect. Information may be printed, written, spoken, visually explained. In addition, it can be mailed, sent electronically, visually or verbally transmitted. Information should be appropriately secured regardless of its nature, transmission or storage.

2 Purpose

The organization has implemented the ISP with the goal of identifying, assessing and taking steps to avoid or to mitigate risk to Protranslating information assets. Information security is achieved by implementing a suitable set of controls, including policies, organizational structures and software and hardware functions. These controls are established, implemented, monitored and controlled to ensure that the specific security and business objectives of the organization are met. Such is executed in conjunction with the 9001 Quality Management System (QMS) processes implemented by the organization.

To implement and properly maintain a robust information security function, the organization recognizes the importance of:

  • Understanding the information security requirements and the need to establish policy and objectives for information security;
  • Understanding, assessing, and measuring risks posed to and by Protranslating’s information assets;
  • Implementing and operating controls to manage the organization’s information security risks in the context of overall business risks;
  • Ensuring all employees of the organization are aware of their responsibilities in assets protection and security.
  • Monitoring and reviewing the performance and effectiveness of information security policies and controls; and
  • Continually improving the assessments, measurements and changes that affect risk.

3 Scope

This policy and all related documentation apply to all information, information systems, networks, applications, locations and users of Protranslating or external providers.

4 Roles, Responsibilities, and Authorities

4.1 Security Organization Management

The Management Team, including the VP of Technology, have established an 07F18 Security Management Structuredocument. The Security Management Team has the following responsibilities and authority assigned:

  • Review security policies.
  • Assign security roles.
  • Coordinate and review the implementation of security across the organization.

Information security responsibilities are clearly defined, maintained and communicated. These responsibilities include the security of Protranslating information assets and information technology that are accessed, processed, communicated to, or managed by external parties.

4.2 Roles and Responsibilities

The Information Security Policy has been established, documented and is maintained with the purpose of continuous improvement and assurance that the organization’s information is secure. Within the Information Security Policy, roles and responsibilities have been defined and assigned to specific individuals or groups within its organization.

Information Security Steering Group (ISSG): Responsible for information security in the organization to reduce risk exposure and ensure the organization’s activities do not introduce undue risk. The group is responsible for ensuring compliance with established security policies, processes and security initiatives, and with state and federal regulations.

Information Security Officer (ISO): Responsible for information security at the business level, for reducing risk exposure, drafting policies and for ensuring the organization’s activities do not introduce undue risk to the enterprise. The ISO is responsible for ensuring compliance and adherence to this policy.

Information Asset Owner (IAO): Responsible for creating initial information classification, approving decisions regarding controls and access privileges, performing periodic reclassification and ensuring regular reviews for value and updates to manage changes to risk. For the list of IAO see 07F18 Security Management Structure.

User: Responsible for complying with the provisions of policies and procedures.

The table below uses the RACI (R= Responsible A= Accountable C= Consulted I= Informed) model, for identifying roles and responsibilities during an organizational change process

Area of Responsibility ISSG ISO IAO User
Establish the Information Security Program (ISP) A R C N/A
Implement and Operate the ISP A R C N/A
Monitor and Review the ISP A/R R C N/A
Maintain and Improve the ISP A/R R C N/A
Management Responsibility A/R R C N/A
Resource Management A R I N/A
Provision of Resources A/R C I N/A
Training, Awareness and Competence A/R R C I
Internal ISP Audits A/R R C I
Establish Controls A R C I
Storage of Source Code N/A R N/A N/A

Managers: Managers ensure employees are aware of the relevance and importance of their activities and how they contribute to the achievement of information security objectives. They also ensure that employees are aware of and comply with all information security policies and procedures of the organization relevant to their role.

IT Team: The team is responsible of the following areas related to information security:

  • Managing related processes, such as incident and change management
  • Providing technical expertise related to information security
  • Implementing technical controls
  • System administration e.g. user creation, backups
  • Security monitoring e.g. network intrusions
  • Reporting actual or potential security breaches
  • Contributing to risk assessment where required

5 Identification and Authentication

The organization has defined the expectation and principles relating to how system setup and credential privileges should be managed. User accounts and privileges shall be managed correctly to ensure authorized user access to information systems is possible while unauthorized access is not, such as but not limited to:

  • Authorization to manage user accounts and privileges. Request is triggered by the HR Business Partner, and authorization may be given through line management, by the Manager and/or Director of the area in question.
  • Management of user accounts and privileges. Specific staff are authorized to control login accounts and permissions for systems that the IT team does not manage. The IT team may delegate specific limited responsibilities for managing accounts and permissions to staff in other departments. See 07F18 Security Management Structure for more details.
  • Users’ access rights must be adjusted in a timely manner to provide only authorized and necessary access. This should take place whenever there is a change in business need, a change in an employee’s role or when an employee leaves the organization.
  • Password management. Once access to a system or application is authorized, the user is to be informed of their temporary password in a secure manner. This temporary password must be changed immediately; this should be enforced automatically by the system. See 04M06 Password Policy for more details.
  • Deletion of user access upon exiting the organization.
  • A monthly audit is conducted of login access to ensure accuracy and remove access to those users which are no longer eligible or required. See 07P08 IT Service Desk SOP for more details.

6 Handling of Incidents and IT Requests

The IT Team has established procedures to ensure a consistent and effective approach to the management of information security incidents and IT requests, including communication on security events and weaknesses. It enables the efficient and effective management of information security incidents by providing structure for the reporting and management of such incidents.

Information security incidents and IT requests shall be reported promptly and responded to in a quick, effective and orderly manner in order to reduce the negative effect of incidents, to repair damage and to mitigate future risks. Tickets are to be submitted to IT Help Desk IAW 07P08 IT Service Desk SOP.

Weekly reports will be generated by the IT Service Desk system for all tickets labeled ‘security’. Trends will be analyzed to determine if any discernible patterns require further investigation.

The IT team has daily meetings where, if necessary, post-mortem and trend analysis is discussed. Any serious incidents should be recorded in the Non-Conformance log, and a CAR may be originated IAW 10P01 Corrective Action Request SOP, if deemed necessary.

7 Change Management

Protranslating has deployed a change management process in order to prevent unintended service disruptions and to maintain the integrity of all company services. There is segregation of duties, and all requests go through a workflow process consisting of request, approval, implementation and review IAW 07P08 IT Service Desk SOP. Rollback procedures are documented in case there is a need to go back to a previous state, even though change plans are related to minimal marketable features (MMF) most of the time. Layers of authorization and logging exist so that production changes are controlled and monitored. Only authorized engineers are able to login to central configuration management machines from where production changes can be applied. Protranslating communicates to different stakeholders when the services might be adversely affected.

8 Risk Management

Risk assessments will identify, quantify and prioritize threats that may become relevant to the organization. The results will guide and determine appropriate organization action and priorities for managing information security risks and for implementing controls needed to protect information assets.

Risk management will include the following steps:

  1. Identify the risks
  • Identify the organization’s assets and the associated information owners.
  • Identify the threats to those assets.
  • Identify the vulnerabilities that might be exploited by the threats.
  • Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.
  1. Analyze and evaluate the risks
  • Assess the impacts on the organization that may result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of those assets.
  • Assess the risk of security failures occurring due to the vulnerabilities and impacts associated with the assets and the implemented controls.
  • Estimate the level of risks.
  • Determine whether the risks are acceptable.
  1. Identify and evaluate options for the treatment of risk
  • Apply appropriate controls.
  • Accept the risks.
  • Avoid the risks.
  • Transfer the associated risks to other parties.
  1. Select control objectives and controls for the treatment of risk
  • The organization is committed to continually monitoring, reviewing and analyzing potential risks to ensure requirements are effectively managed in the 05M03 Information Security Policy. Identified risks and opportunities are recorded and managed using the 06F02 Risks and Opportunities Management Document
  • The IT Help Desk and Non-Conformance log provide visibility into potential risks to the organization as regards the security information and allowing effective, related decision making.
  1. Threats Related Risk Management
  • Risk threats are managed in accordance with established internal policies and procedures. Additional information available under NDA.

Details of our selected controls and how they have been implemented and measured are considered confidential information and restricted to Protranslating. The following sections have been removed to make this document available to the public: security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management and compliance

© Copyright 2016 - Protranslating
This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our Privacy Statement to learn more.
Agree & Dismiss