INFORMATION SECURITY POLICY
This document sets out the high-level policy for information security management for IDEAL Electronics S.A business unit i-DOCS and i-DOCS Enterprise Software Ltd (hereafter referred to as “Organization”).
The Organization is committed to safeguarding the information systems upon which it depends, in order to deliver services, both internally and externally. It has therefore devised and agreed this high-level policy for Information Security Management.
The Organization considers information as a valuable asset of utmost importance that needs to be secured in order to ensure reliable services to its stakeholders.
Furthermore, the Organization is aware that information security is an on-going practice of implementing the necessary processes and controls to protect the Organization’s information which is crucial from possible risks, that can adversely impact the Organization’s operations.
This policy applies to the entire Information Security Management System (ISMS), as defined in the ISMS Scope and Context.
Users of this document are all employees of the Organization as well as relevant external parties, within the scope of the ISMS as defined in the ISMS Scope and Context.
Within this perspective, the Organization has adopted an Information Security Management System comprising of the Information Security Policies, Procedures and Processes to effectively manage the information security risks. This system is aligned with the ISO/IEC 27001:2013 standard.
This information security policy outlines the Organization’s approach to information security management. The aim of this top-level policy is to provide the framework and describe the purpose and guiding principles and responsibilities to safeguard the security of the Organization’s information systems.
This policy applies to the entirety of the Organization, including:
All business locations and functions
All information that is stored or processed by the Organization (including that entrusted to the Organization by its clients, commercial partners and its employees) irrespective of the format in which it is stored or processed
All authorized Users, whether directly employed by the Organization, or engaged under contract to provide services to the Organization and / or its clients
Within the broader scope described above, this Policy also establishes and empowers an ISMS that will be certified to the ISO 27001:2013 Standard. The scope of the certified ISMS is described in details, within the document ISMS Scope and Context.
Terms and Definitions
Every individual staff member in the Organization is responsible for the implementation of this policy and will be held accountable under this policy.
Heads of Units and Senior Managers shall take responsibility for information security within their respective Department, implementing adequate controls to meet the information security objectives, as defined in this policy.
Users shall be aware of their day-to-day security responsibilities, of this policy and any operational policies and procedures that apply for securing the Organization’s information assets. All employees of the Organization shall be fully aware of and abide by the Organization’s “Acceptable Use Policy”.
All breaches of information security, actual or suspected, will be reported to and investigated, by the Information Security Officer with assistance from relevant staff and Unit Heads. Further details on the reporting and management of information security incidents, can be found in the Incident Management Framework (Incident Management Policy and Incident Management Procedure).
Compliance with this policy includes compliance with all supporting policies and procedures. Non-compliance with supporting policies and procedures may lead to disciplinary actions, as applicable. Detailed responsibilities for individuals who are required to support the Organization’s ISMS are fully described within the “ISMS Roles and Responsibilities” document.
Information Security Policy Statement
Information can exist in many forms, printed or written on paper, stored electronically, transmitted by post or by using electronic means, contained within documents, or spoken in conversation. The Organization also relies heavily on computer systems and applications, to store, process and manage business and client information. Whatever form the information takes, or means by which it is shared or stored, it must always be appropriately protected. Information in any form is a valuable company asset and shall be treated as such.
Information security problems include information being inappropriately obtained, accessed or disclosed, altered or erroneously validated - whether deliberate or accidental - or being unavailable when required. The Organization considers information as a valuable asset of outmost importance that needs to be secured in order to ensure reliable service delivery to its clients.
It is therefore an objective for the Organization to protect its information through an ongoing practice of implementing and monitoring appropriate controls to protect important information from possible risks that might adversely impact the Organization’s business operations or reputation.
Within this perspective, the Organization has adopted an Information Security Management System (ISMS) comprising of policies, procedures and processes, to effectively manage information security risks. The ISMS is aligned with the ISO/IEC 27001:2013 Standard.
2Managing Information Security
Managing Information Security
The management of the Organization is committed to ensure that:
The confidentiality of information is protected and prevents disclosure of valuable or sensitive information
The integrity of information is maintained to ensure its accuracy and completeness
The availability of information is maintained to meet organizational needs and stakeholder requirements and expectations
Regulatory and legislative requirements related to the Organization are met
Appropriate information security awareness is provided to all Users within the scope of the Organization’s ISMS
An incident management process is established and implemented to ensure that all breaches of information security (actual or suspected) are reported and investigated
Risks are mitigated to an acceptable level through a risk management framework.
The ISMS is continually being improved
Appropriate resources are allocated in order to implement, operate and review an effective ISMS
Objectives and Measurement
The Organization has envisioned its information security objectives, to ensure its related business operations continue to be carried out securely in line with the ISO 27001:2013 standard. Primary information security objectives are as follows:
Information-related business operations to be carried out securely in line with the ISO 27001:2013 standard
Protect the Organization's information to ensure confidentiality and integrity of information and availability of information to authorized individuals
Successful management of the Organization's information and information assets
Proactive management of information security risks
Enhance information security awareness among the Organization's employees and suppliers
Ensure the security breaches and information security incidents are managed effectively
Detailed information security objectives and the related measurements are documented as part of ISMS Objectives and Effectiveness Measurement.
Supporting Policies and Procedures
Relevant information security policies, procedures and processes shall be developed and published on the Organization’s document management system or intranet, which shall be accessible to all Organization’s employees.
Specific policies, procedures and processes shall also be made available to third parties, where applicable and these third parties shall be compelled to adhere to these policies as a term of their engagement with the Organization.
The Organization’s management is committed to continual improvement of the ISMS. It is through continual improvement that the effectiveness of the ISMS and security controls will be maintained and improved. These processes are further described in the Continual Improvement Framework document.
KPIs shall be developed and used to measure the effectiveness of the ISMS and more appropriate security controls. As part of the Management Review of the ISMS, Top Management shall ensure that feedback and improvement recommendations are provided by the Information Security Steering Committee (SteerCo).
As an outcome of the review, the potential improvements to the ISMS will be communicated to the Top Management.
Legal and Regulatory Requirements and Contractual Obligations
All relevant statutory and regulatory requirements as well as contractual obligations shall be identified and complied with. Further details on applicable requirements may be found in the “ISMS003 Scope and Context” document.
Security in Business Change and Project Management
The Organization acknowledges that the consideration of appropriate information security controls is most effective at the outset of any change within the business. Therefore, information security shall be considered throughout the project lifecycle, with the following specific measures being adhered to:
Project managers shall ensure that information security is addressed at all stages of project management, beginning with the project brief
The Information Security Officer shall provide a security sign-off at the end of each stage and prior to the initiation and / or closing of the project
Risk assessments and security testing shall be conducted, as appropriate, before the project’s initiation, during the implementation stage and prior to closing of the project
Relevant information security requirements shall be included in Proposals, Requests for Proposal (RFP) , Requests for Information (RFI) or Requests for Quotation (RFQ)
All External Parties such as suppliers, vendors, external partners, contractors etc. shall sign Non-Disclosure Agreements (NDAs) prior to project’s initiation
All External Parties such as suppliers, vendors, external partners, contractors etc. shall sign Data Processing Agreements (DPA) with the Organization whenever personal data is being processed by them, on behalf of the Organization
In order to ensure the continued suitability, adequacy, and effectiveness of its information security framework, the Organization shall ensure that reviews of this information security policy and related documents are performed at appropriate intervals and when significant changes occur to the Organization, or its information assets.
Reviews and updates shall be discussed during the Information Security Steering Committee’s meetings and communicated to the Organization’s Management for approval and sign off.
Compliance with this policy is mandatory for all internal and external Users. Compliance checks will be performed on a regular basis by the Information Security Officer of the Organization.
Any breaches or alleged breaches of this policy will be investigated by the Information Security Officer according to the Human Resources Department procedures and directly reported to the Head of Department to take the appropriate disciplinary actions.