Information Security Policy

Version: 1.00 Issue Date: 9/9/2019

1.0 Overview

This policy establishes general roles and responsibility for information security. It
establishes authority for the Information Security Committee to create and enforce
information security policies.

2.0 Purpose

This policy defines organization wide appropriate access to, integrity of organizational
information, and appropriate access to organizational information technology assets. It
defines the roles and responsibilities of:

1. Employees and authorized users

2. The departmental information security officer
3. Information Security Committee
4. Security Officer
5. Chief Information Security Officer (CISO)
6. Communications Officer

3.0 Scope

This policy is organization wide and all parts of the organization are subject to it. This
policy defines basic organizational security standards and provides information about
roles and responsibilities of those involved. Departments may establish departmental
policies but may not override enterprise policies. This policy is effective as of the issue
date and does not expire unless superseded by another policy.

4.0 Policy Description

Security of organizational resources including networks, computer systems, software,

and data must be protected from unauthorized use and disclosure. The following must
be provided:

 Data confidentiality
 Data integrity
 Data and system availability
 Appropriate use of data and systems
 Authentication
 Ability to audit
 Recoverability of lost data or systems
 Business continuity
Organizational policies and procedures shall be used to guide organization wide
information security. Organizational department management are required to be sure
their departments adhere to the organizational policies and procedures. Department
managers may develop departmental policies and procedures so long as they do not
conflict with organizational wide policies and procedures. Individual departments should
have an information security officer responsible for overseeing and managing security
inside the department. This person will also represent the department in enterprise wide
meetings and efforts regarding information security.

5.0 Security Officer

Each department shall have a security officer responsible for ensuring security. The
Information Security Officer will:

1. Manage departmental security.

2. Create departmental security policy.
3. Be sure security policy is being enforced by coordinating audits.
4. Coordinate the emergency response team for the department.
5. Represent the department on the Enterprise wide organizational security
committee.

6.0 Employees

All authorized users, staff members, or employees whether volunteeers or contractors

with access to organizational resources are responsible for understanding and abiding
by security policies and other organizational policies. All users are required to protect
organizational data and resources from unauthorized disclosure and modification to the
best of their ability.

7.0 Chief Information Security Officer (CISO)

Chief Information Security Officer duties:

 Lead the Information Security Committee

 Coordinate and oversee development of enterprise wide computer information
security policies.
 Coordinate efforts regarding information security between departments.
 Direct information security education and training.
 Provide leadership related to information security including technical issues,
policies, and regulations.
 Lead the Organizational Security Committee.
 Encourage the awareness and use of the security strategy.
 Determine the data classification scheme for the organization and be responsible
for it. (Eg public, internal use only, confidential)

8.0 Information Security Committee

The information Security Committee will consider the business needs and security
concerns as they perform the following responsibilities:

 Develop, update, approve, and ensure communication of information security

policies.
 Develop, update, and communicate related procedures.
 Develop, update, and communicate related standards.
 Review and approve or deny deviations from standards or policies.
 The Information Security Committee must create and maintain a technical
security plan. The plan must define roles and responsibilities of managers and
employees including job descriptions. All employees must be qualified to fulfill
their job roles.
 The Information Security Committee must include consideration of ownership
responsibilities in the security plan and policies. Owner roles and responsibilities
must be defined.
 Develop a process for communication of the technical security plan.
 Develop an approval process for certification of new information technology
equipment and facilities to be sure security protection meets requirements.
 Technology developments and new threats must be evaluated at least once per
year and modifications must be made to the technical security plan to use new
technology and meet threats. Reports from auditors shall be used to determine
additional security needs including awareness programs, changes to the security
framework, or actions due to non-compliance.

9.0 Communications Officer

The Communications Officer will communicate new or revised policies, procedures, and
standards on behalf of the Information Security Committee.

10.0 Technical Security Plan

 The Information Security Committee must create and maintain the technical
security plan.
 The technical security plan must be approved by the Chief Information Security
Officer.
 The technical security plan must be reviewed by appropriate staff in appropriate
divisions prior to implementation. Comments and modifications must be
discussed, agreed upon, and any changes made before the plan is implemented.
External advice about the plan should be obtained prior to plan implementation.
 The technical security plan must be based on a formal risk analysis which covers
the organization and business processes. An example would be the risk of using
email to support business processes considering what attachments should be
allowed. Threats, vulnerabilities, risks, costs, and probabilities should be
considered.
 The technical security plan must be in line with the strategic business plan
considering the organizational business objectives. The technical security plan
 must be reviewed at least annually to be sure it is aligned with the strategic
business plan.
 Controls specified by the security plan and policies must be cost effective.
Priorities must be set based on risk, costs, and alternatives.
 The technical security plan and framework must state its purpose and objectives.
 The technical security plan must call out measurable metrics that can be used to
determine whether security goals are being obtained. Metrics should be
compared with industry trends and scores. Metrics and scores should be
evaluated by independent reviewers.
 The technical security plan must be documented and communicated so the
security strategy is implemented. Documentation and communication of the plan
will improve system protection through the organization.

11.0 Security Awareness and Guidelines

 Information security officers and advisers must be able to advise information

technology and business management about information security issues.
 Security awareness must be part of the employee orientation plan.
 Security awareness must be included in performance appraisals and a training
program must be available for staff members.
 The goals and scope of the security awareness program must be clearly defined.
 Upper management must support the security awareness program.
 Security awareness trainers must be well qualified in the areas they teach and be
excellent communicators.
 The security awareness program must be modified annually to consider
technological changes and changes in security needs.
 The training program must include training for applications required by users.
Employees and contractors should be trained based on work assignments and
need.
 Surveys should be regularly conducted to determine the effectiveness of the
training program. Feedback should be used by the trainers to improve training
methods.

12.0 Security Requirements

 Security policies, procedures, and standards must be documented and published

so all affected members of the organization are aware of them.
 All Security policies, procedures, and standards must comply with and support
laws, regulations, and contracts that apply.
 Minimum security requirements for all operating systems approved for use in the
organization must be defined. Testing must be done to be sure the requirements
are met and effective. Any deviations from requirements must be approved and
have compensating controls.
 Only approved operating systems may be used in the organization.
  All systems must have adequate authentication mechanisms for all users which
must include a unique user identifier and a user authentication mechanism (Eg
password, token, biometrics) for access.
 Access to system and equipment diagnostic ports must be controlled using
adequate security mechanisms to prevent unauthorized use or access.
 The Information Security Committee must review information about new types of
security threats. The security officer must review information about new security
vulnerabilities and exploits.
 Third parties should evaluate security architecture and policies annually to
independently determine effectiveness. Practices actually used must be
evaluated to be sure they are in line with the policies.

13.0 Auditing

Auditors shall support this policy by auditing various departments for compliance as
coordinated with the Information Security Committee and the Chief Information Security
Officer. Auditors shall provide reports to management including the Information Security
Committee and the Chief Information Security Officer detailing compliance and
shortfalls through the organization.

14.0 Enforcement

All activity that does not comply with this Information Security Policy and other policies
and procedures is investigated. Organizational members that do not adhere to this
policy may be subject to disciplinary action up to and including denial of access, legal
penalties, and/or dismissal. Any employee aware of any violation of this policy is
required to report it to their supervisor or other authorized representative.

15.0 Other Requirements

 Procedures must be created to keep authentication mechanisms effective in

providing access control.

Approval

Approved by:__________________________ Signature:_____________________

Date:_______________