This document specifies a comprehensive set of Technology Security Policy statements and guidelines to define how information security will be applied within Infinity Works (IW).
Its purpose is to communicate management information security directives so as to ensure consistent and appropriate protection of information throughout Infinity Works. It is a reference document to be used by employees, agents, contractors and any security authorised third party organisations or customers that may utilise, manage or control Infinity Works information or information assets.
This policy is applicable;
- To all employees working within Infinity Works and others working on behalf of Infinity Works in a similar capacity including contractors, consultants, temporary staff, student placements etc; and
- To all information/data, information processing/computer systems and networks (collectively known as “information assets”) owned by Infinity Works, or those entrusted to Infinity Works by third parties.
The purpose of the implementation of the Security Policy within Infinity Works is to ensure the confidentiality, integrity and availability (CIA) of information and systems. This is achieved by the minimisation of business risk by preventing or reducing the impact of potential security incidents. The implementation of the Security Policy further mitigates risks by allowing information to be shared in a controlled manner that ensures the protection of information and computing assets.
CIA is defined for the purposes of this document below;
- Confidentiality: Protection of information from unauthorised disclosure.
- Integrity: Maintaining accuracy and completeness of information assets.
- Availability: Ensuring that information assets and vital services are available to users whenever they are required. This policy outlines the high-level principles that must be applied to all information systems and environments. Associated documents such as standards, process and procedure documents are based upon this policy and are referenced by it.
- Information security is a business enabler and aligns with business goals and objectives.
- Information is a critical Infinity Works business asset and must be protected and handled to a degree appropriate to its classification and its value to the business.
- Information security controls are necessary to protect Infinity Works information assets against unacceptable loss.
- Information security permeates throughout the entire organisation.
- Information security is a core element of corporate governance.
- Infinity Works adheres to accepted best practices regarding information security standards.
The goal of this Infinity Works Security Policy is to ensure that:
- The confidentiality and integrity of Infinity Works information is assured and business requirements for the availability of Infinity Works information and information systems are met.
Achieving these goals requires that:
- Detailed security standards, process and procedure documents are produced and maintained in order to support Infinity Works business functions.
- Clear division of responsibilities is defined.
- All Infinity Works assets are classified in order to ensure that they are adequately secured.
- Information is protected against unauthorised access.
- All breaches of information security, actual or suspected, are investigated and reported to the ISMS Committee.
- Software and systems are only used for legitimate business purposes.
- Violation and incident management procedures are maintained.
- Regulatory and legislative requirements are met, including but not limited to an independent annual review of information security.
- Data protection and information security awareness training is provided for all staff.
- Appropriate business, technical risk and (where appropriate) data protection impact assessments are conducted for new services or when changes are made to existing services.
The statements in this policy are mandatory unless otherwise stated. Where compliance with one or more of the policy statements or derived standards cannot be achieved, then the instance and reason for non-compliance must be justified, documented and presented to the ISMS Committee. If the appropriate system owner (SO) chooses to accept the risk for non-compliance, as determined by a Security Risk Assessment, then the exemption/deviation process must be followed.
Any request for change to the policy (additions, deletions or alterations) must be submitted to the ISMS Committee for approval or denial. Approved changes considered critical and immediate outside of the annual review may be granted and the request will be incorporated into the policy. Alternatively, an exception may be granted until the next annual review.
The management of information security within Infinity Works must function within a clearly defined organisational structure. Roles and responsibilities must be defined and maintained in order to support this security organisation. By maintaining a clearly defined structure within information security, the following organisational benefits will be achieved:
- Coherent policy definitions that are applied in all situations at all levels of the business. In achieving this, information security will be implemented consistently and hence more effectively.
- Clearly defined reporting lines will ensure that escalation paths provide an effective response mechanism in the management of security incidents.
- All staff members will have clearly defined roles with regard to maintaining the integrity and on-going effectiveness of information security. The Directors give overall strategic direction by approving and mandating the Infinity Works Security Policy and delegates operational responsibilities for information security to the ISMS Committee. The ISMS Committee review policy throughout Infinity Works and ensure that suitable policies are in place to support Infinity Works security principles. Management demonstrate their commitment to information security by:
- Reviewing and re-approving the policy annually.
- Receiving and acting appropriately on management reports concerning information security performance metrics and security incidents.
- Taking the lead on information governance as a whole by providing the overall strategic direction, support and resource necessary to ensure that information assets are identified and suitably protected throughout Infinity Works.
The ISMS Committee are responsible for:
- Defining technical and non-technical information security standards, procedures and guidelines.
- Supporting System Owners (SOs) and managers in the definition and implementation of controls, processes and supporting tools to comply with this policy and manage information security risks.
- Reviewing and monitoring compliance with policy statements.
- Collecting, analysing and commenting on information security metrics and incidents.
- Supporting SOs in the investigation and remediation of information security incidents or other policy violations.
- Liaising as necessary with auditors, the Directors (or assigned delegate) and external functions such as the Police when appropriate.
- Authorising access to information assets by role in accordance with their classification and business requirements.
- The administration and assignment of information security activities to authorised personnel within the organisation
- Ensuring that all information security initiatives are in alliance with all company-wide regulatory compliance, governance and security mandates
- Creating and distributing security policies and procedures
- Monitoring and analysing security alerts and distributing information to appropriate information security and business unit management personnel
- Creating and distributing security incident response and escalation procedures
- Administering user account and authentication management.
- Day-to-day implementation of this policy;
- Ensuring that suitable technical, physical and procedural controls are in place in accordance with this policy and associated guidance and are properly applied and used by all employees. In particular they must take measures to ensure that employees:
- Are informed of their obligations to fulfil relevant corporate policy statements by means of appropriate awareness, training and education activities.
- Comply with the policy statements and actively support the associated controls.
- Are monitored to assess their compliance with the policy statements and the correct operation of the associated controls and reminded of their obligations as appropriate.
- Are provided with the direction, resources, support, and review necessary to ensure that information assets are appropriately protected within their area of responsibility.
- Inform Security and/or SOs of actual or suspected policy violations (Information Security incidents) affecting their assets.
- Comply with this policy and associated guidance through regular checks.
SOs are managers held accountable for the protection of particular Information Assets. SOs may delegate information security tasks to managers or other individuals but still remain accountable for them. SOs are responsible for:
- Appropriate classification and protection of the information assets.
- Specifying and funding suitable protective controls.
- Authorising access to information assets by individuals in accordance with their role, classification and business requirements.
- Undertaking or commissioning information security risk assessments and (where appropriate) data protection impact assessments for new systems or upgrades, to ensure that the information security requirements are properly defined and documented during the early stages of development.
- Monitoring compliance against the protection requirements associated with their assets.
- Ensuring up-to-date documentation of working practices, processes and procedures.
- Periodic access right reviews and promptly notifying the service desk of redundant/invalid User IDs, inappropriate access rights and/or if users change jobs or leave Infinity Works.
- Ensuring that all systems users to familiarise themselves and comply with the Infinity Works Acceptable Usage Policy (AUP).
Employees and contractors utilising and having access to a broad range of Infinity Works information and systems are required to adhere to the policies, procedures, provisions, general guidelines outlined in this security policy document and all other applicable supporting policy and procedure documents. Information security responsibilities apply to the following non-exhaustive list of system components deemed critical by Infinity Works:
- Network devices and supporting network protocols and activities
- Operating systems and supporting systems
- Applications and supporting systems and activities
- Databases
- Data transmission protocols
- End-user devices and technologies
Information security responsibilities include not engaging in any activity that may potentially compromise the organisation's network infrastructure, cause harm to other related systems or pose a significant financial, operational or business threat to the organisation because of misuse of system components deemed critical by the organisation. Violation of these information security responsibilities may be grounds for disciplinary action.
As a minimum all Infinity Works employees and contractors must have reviewed and acknowledged understanding of the Infinity Works Security Policy on an annual basis. Where relevant to their job functions, workers must receive appropriate training and regular updates in data protection and information security policies, standards, procedures, laws, regulations etc. This includes security requirements, legal responsibilities and business controls (such as security incident reporting processes), as well as induction training in the appropriate and secure use of Infinity Works facilities before access to information is granted. Security and risk awareness, education and training activities must reflect employee needs e.g.:
- Managers must receive information on their information security management, supervisory and governance responsibilities.
- I.T. professionals, whether or not they are employed within Infinity Works, must be informed about the technical aspects of information security.
- Employees who routinely handle sensitive and valuable proprietary or personal data must be reminded periodically of their confidentiality and integrity obligations.
- All employees must be briefed about information security in general terms, using current security issues, changes, incidents or near-misses, regular appraisals, team meetings etc. as convenient opportunities to raise the subject.
A system owner (SO) may propose short term exemptions to policy or standards, while an action plan to return the system to a compliant state is underway.
The SO, working with a member of the ISMS Committee, is responsible for documenting any risks arising from the proposed exemptions and specifying any mitigating controls which could be deployed to reduce the risk. The SO must document a mitigation action plan that details how their asset will become fully compliant with the policy or standard within a documented time frame. The exemption must be documented and be included in the SO risk register. The SO will be held accountable for all mitigating controls and undertaking their agreed action plan within the agreed timeframe. All exemptions must be reviewed at least every 3 months (or longer if agreed in the action plan) by the System Owner and at least 2 members of the ISMS Committee. The ISMS Committee will maintain the list of authorised exemptions and the reasons why the exemptions exist.
A system owner (SO) may also propose a permanent deviation to policy or standards for an information asset under their remit, where no action plan exists or is being pursued to return the system to complaint state. The ISMS Committee, working with the SO, are responsible for documenting any risks arising from the proposed deviation and specifying any mitigating controls which could be deployed to reduce the risk. The deviation must be documented and be included in the System Owner Log and where appropriate, corporate risk register. The SO is responsible for any and all risks introduced to Infinity Works as a result of their deviation. All deviations must be reviewed at least every 12 months by the ISMS Committee and the respective SO. The ISMS Committee will maintain a list of authorised deviations and the reasons why the deviation exist.
This security policy should be read in collaboration with the Acceptable Usage Policy (AUP) and supporting technical / configuration policies highlighted below
Data Protection Impact Assessments (where relevant) and Security Risk Assessments are expected to be carried out for all new systems and upgrades, either in-house or 3rd party.
Third parties who require access to Infinity Works services may be asked to adhere to the requirements of the Infinity Works Acceptable Usage Policy (AUP).
Users are required to follow good security practices in the selection, use and management of their passwords and to keep them confidential. They should all be assigned a unique ID and be assigned levels of access to systems and data based on minimum permissions necessary in order to deliver their role. Further information can be found in the following:
Controls must be in place to ensure system changes are duly authorised by the tech lead, risk assessed and approved for production and staging systems.
Physical security is in place in the Infinity Works offices to protect Infinity Works' physical and data assets and employees. This is facilitated through the use of intruder alarms, physical access control systems, CCTV and Wireless Access Point Testing as documented in the:
The ISMS Committee are responsible for ensuring that this aforementioned policy is kept current as needed for purposes of compliance.