Information Security Policy
Information security requirements
A clear definition of Sphere IT's information security requirements will be agreed and maintained so that all ISMS activity is focused on meeting these requirements. Regulatory and contractual requirements will also be documented and fed into the planning process. Specific security requirements for new or changed systems or services will be addressed as part of the development stage of each project.
It is a fundamental principle of the Information Security Management System that the controls implemented are guided by the needs of the business and this will be communicated regularly to all employees through team meetings and information documents.
Framework for setting goals
A regular cycle will be used to establish information security objectives.
Information security objectives will be documented, along with information on how they will be achieved. These will be evaluated and monitored as part of management reviews to ensure they remain valid.
In accordance with ISO/IEC 27001, the reference controls detailed in the Annex A of the standard will be adopted where appropriate by Sphere IT. These will be regularly reviewed as a result of risk assessments and in accordance with information security risk treatment plans. For details on which Annex A controls have been implemented and which have been excluded, see the Statement Of Applicability.
In addition, improved and additional controls from the following codes of practice will be adopted and implemented where appropriate:
- ISO/IEC 27002 - Code of practice for information security controls
Continuous improvement of the ISMS
Sphere IT's guidelines for continuous improvement are:
- Continuously improve the effectiveness of the ISMS
- Improve current processes to align with best practices as defined in ISO/IEC 27001 and related standards
- Obtain ISO/IEC 27001 certification and maintain it continuously
- Increase the level of proactiveness (and stakeholder perception of proactiveness) with regard to information security
- Review relevant metrics annually to assess whether it is appropriate to change them, based on historical data collected
- Obtain improvement suggestions through regular meetings and other forms of communication with stakeholders
- Review suggestions for improvement at regular management meetings to prioritize and assess deadlines and benefits
Suggestions for improvement can be obtained from any source, including employees, customers, suppliers, risk assessments and service reports. Once identified, they will be recorded and evaluated as part of management reviews.
Information security policy areas
Sphere IT sets policy in a wide variety of information security-related areas that are described in detail in a comprehensive set of documentation that accompanies this comprehensive information security policy.
Each of these policies is defined and agreed upon by one or more people with competence in the area in question and, once formally approved, is communicated to an appropriate audience, both internal and external to the organization.
The table below shows the individual policies within the documentation set and summarizes the content of each policy.
|A05-2 Internet Use Policy||Commercial Internet use, personal Internet use, Internet account management, security and monitoring, and prohibited uses of the Internet service.|
|A05-5 Social Media Policy||Guidelines on how social media should be used when representing the organization and when discussing issues relevant to the organization.|
|A06-4 Policy for the use of mobile devices||Care and security of mobile devices such as notebooks, tablets and smartphones.|
|A06-5 Remote Work Policy||Information security considerations when establishing and managing a remote work site and arrangement, eg physical security, insurance and equipment.|
|A07-4 HR Information Security Policy||Recruitment, employment contracts, policy compliance, disciplinary process, termination.|
|A08-8 Asset Management Policy||Establishes the main rules for asset management from the point of view of information security.|
|A09-1 Access Control Policy||Registration and deregistration of users, granting of access rights, external access, access reviews, password policy, user responsibilities and access control to systems and applications.|
|A10-1 Encryption Policy||Risk assessment, technique selection, deployment, testing and review of cryptography and cryptographic key management.|
|A11-1 Physical and Environmental Security Policy||Define guidelines for secure areas, security of equipment and physical documents, and equipment lifecycle management.|
|A11-6 Clean screen and clean desk policy||Security of information displayed on screens, printed and maintained on removable media.|
|A12-4 Anti-Malware Policy||Firewalls, antivirus, spam filtering, software installation and scanning, vulnerability management, user awareness training, threat monitoring and alerting, technical analysis and malware incident management.|
|A12-5 Backup Policy||Backup cycles, cloud backups, offsite storage, documentation, recovery and protection tests.|
|A12-6 Records and Monitoring Policy||Settings for event collection (logs), protection and review.|
|A12-7 Software Policy||Purchasing software, registering, installing and removing software, in-house software development, and using software in the cloud.|
|A12-8 Technical Vulnerability Management Policy||Definition of vulnerabilities, sources of information, patches and updates, vulnerability assessment, hardening, awareness training and vulnerability disclosure.|
|A13-1 Network Security Policy||Network security design, including network segregation, perimeter security, wireless networks and remote access. Network security management, including roles and responsibilities, logging, monitoring, and changes.|
|A13-5 Electronic Messaging Policy||Sending and receiving electronic messages, monitoring electronic messaging facilities and using electronic mail.|
|A14-2 Safe Development Policy||Specification of business requirements, systems design, software development and testing.|
|A15-1 Information Security Policy in the Relationship with Suppliers||Due diligence, agreements with suppliers, monitoring and review of services, changes, disputes and termination of contract.|
|A18-3 Intellectual Property Policy||Protection of intellectual property, law, penalties and software license compliance.|
|A18-4 Records Protection Policy||Retention period for specific record types.|
Application of information security policy
The policy statements made in this document and in the set of support policies listed above have been reviewed and approved by Sphere IT management and must be adhered to. An employee's failure to comply with these policies may result in disciplinary action being taken in accordance with the employee's Disciplinary Process.