The purpose of this policy is to direct the design, implementation and management of an effective Information Security Program, which ensures that {{organization.name}}’s information assets are properly identified, recorded, and afforded suitable protection at all times. This document sets forth certain principles regarding the responsible use of information by {{organization.name}} and outlines the roles and responsibilities of personnel to protect the confidentiality, integrity, and availability of {{organization.name}} resources and data.

This policy covers {{organization.name}} information and information systems including information and information systems used, managed, or operated by a contractor or other vendors and applicable to all {{organization.name}} employees, contractors, and other users of {{organization.name}} information and information systems.

• Implement and maintain the Information Security Program at {{organization.name}}.

• Continuously improve and align Information Security Practices to global best practices and standards.

• Information Security policies shall be reviewed regularly. It shall be ensured that the employees understand the policies and abide by them.

• Security Awareness training shall be imparted regularly.

• Internal Assessments or Audits of {{organization.name}}’s Information Security Program shall be performed on a periodic basis and any gaps or findings shall be remediated in a timely manner.

• A Risk Assessment process for {{organization.name}}’s information assets shall be defined and followed. Risk reduction shall be carried out through the process of continuous improvement.

• {{organization.name}}’s information asset Inventories shall be reviewed and updated when a new asset is added.

• Business continuity plans shall be reviewed and tested. Roles and responsibilities shall be clearly defined, and all involved need to be aware.

• Information should be classified and handled according to its criticality and sensitivity as well as with relevant legislative, regulatory and contractual requirements.

• Appropriate contacts with relevant authorities and special interest groups or other specialist security forums shall be maintained.

• Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.

• Detection, prevention and recovery controls to protect against malware shall be implemented by {{organization.name}}, combined with appropriate user awareness.

The Board of Directors shall be independent of management and provide oversight and management of the organization’s Information Security Program. Their responsibilities will include (but not limited to below):

• Ascertaining that there is transparency about the significant risks to the organization.

• Obtaining assurance that management has established responsibilities, processes and technology for an effective Information Security Program.

• Using the output of any Information Management Program assessment to assist in risk management decisions for securing {{organization.name}}’s.

Executive Management shall provide directions and management support to employees with information security responsibilities in {{organization.name}}. Executive Management’s responsibilities include:

• Defining and aligning the scope of the Information Security Program with {{organization.name}}’s business requirements and International Security Best Practices and Standards

• Ensuring that information security responsibilities have been assigned and are sufficient to comply with the Information Security Program including:

  • Overseeing the Information Security Program implementation and security improvement initiatives

  • Preparing security awareness training material and conducting periodic information security training

  • Planning and performing periodic Information Security Program assessments and communicating the results to Executive Management.

  • Performing analysis of security incidents and recommending, initiating or tracking corrective actions as applicable

• Review any reports of the Information Security Program implementation status or assessments.

• Provide guidance and oversight for Business Continuity Planning and Disaster Recovery Management for {{organization.name}} and approve the Disaster Recovery Action Plans documented for implementation.

• Play an active role during {{organization.name}}’s Risk Assessment exercises and defining risk mitigation strategies.

• Approving {{organization.name}}’s Information Security Policies and any changes to the policies and ensuring that the overall information security posture is aligned to business requirements and risks.

This document along with the rest of {{organization.name}}’s information security policies define the principles and terms of {{organization.name}}’s Information Security Program as well as the responsibilities of the users and employees in carrying out and adhering to the respective program requirements.

Violations of {{organization.name}}’s information security policies may result in corrective actions and the start of a disciplinary process.

{{organization.name}} shall have dedicated communication channels to ensure incidents related to personnel security or breach of policies are reported, evaluated and addressed.  

Examples of incidents include, but aren't limited to:

• Breach of security policies

• Discrimination or harassment of employees

• Occupational Health and Safety hazard

• Issues with the quality of work or performance

• Inappropriate conduct in the workplace

Please see Appendix 1 for a list of contact information to report incidents.