Information Systems Security Policy

Purpose

The protection of our information technology systems is of primary importance to our organisation. Maintaining the confidentiality, integrity, and availability (CIA) of the IT systems we use ensures that the operations we perform, and the services we provide, continue to meet our business objectives, comply with regulatory and legal requirements, and fulfil the requirements of our stakeholders. It also ensures that any personal data we process about our employees and customers is kept secure, minimising any potential risks or harm that may be caused by a breach of that data.

Management are committed to the security of our information, and have developed and approved this information systems security policy in line with the requirements of the ISO 27001 standard for information security, and our organisation’s business requirements.

This document sets out the approved information systems security policy so that it can be clearly communicated to all employees, contractors, and third-parties who have responsibilities for developing, managing, and maintaining our IT systems.

Scope

This policy shall apply to the development, administration, and acquisition of all IT systems that fall within the scope of our organisation’s ISMS.

Audience

All employees, contractors, and third-parties who have responsibility for the design, development, administration, acquisition, and monitoring of our information systems shall adhere to this Information Systems Security Policy. These include, but are not limited to, the following roles:

For the purposes of this document, employees, contractors, and third-parties who carry out these roles shall be collectively referred to as “administrators”.

Communication

This Information Systems Security Policy shall be communicated to all employees and agency staff as part of the relevant department training programme, and periodically following any changes to the policy. All contractors and third-parties providing IT services or involved in projects which require connection to our IT systems shall be provided with a copy of this policy as part of the process for contracting services. Contractors and third-parties shall be re-issued with updated versions of this policy periodically, and following any changes.

Disciplinary Process

Where an administrator performs an activity or activities in breach of this Information Systems Security Policy, they shall be subject to the disciplinary process documented in the Company Manual, or the applicable service contract.

Improvement

Management are committed to the continual improvement of our Information Systems Security Policy, and shall review this document on an annual basis, or whenever an independent review of our organisation’s ISMS reveals a non-conformance or opportunity for improvement. The Management Review shall determine if this policy continues to meet the requirements of our organisation.

Management also endeavour to plan our business operations so that our IT systems are not misused, either intentionally or unintentionally. This is done by identifying and assigning separate duties and responsibilities to guard against misuses such as fraud, or malicious insider activities, etc. Where an administrator identifies potential conflicts or misuse of information systems due to improper planning and assignment of duties, administrators should raise their concern immediately with their line manager, or the ISMS Manager.

1. Maintaining Security Awareness

New threats and vulnerabilities to technologies and services emerge on a daily basis. To ensure that the potential impact of these information security risks is minimised, administrators must remain informed of any threats and vulnerabilities that may affect the services we provide, and the information systems that we use. This will allow security best practice, vulnerability, and threat management to be key elements of how we manage risk.

To maintain awareness of emerging threats and vulnerabilities, the following policies apply:

1.1 Analysing Threats

Maintaining awareness of threats and security issues that may impact our organisation and information assets is only useful if the information is appropriately analysed and actioned as part of a threat intelligence process or lifecycle. Threat intelligence, whether gathered from suitable, trusted sources such as those listed in section 1 above, or developed by our own organisation using tools such as security information and event management (SIEM) systems, is crucial to our ability to identify and respond to new and developing security threats. Threat intelligence can be divided into three main types, with each providing a different layer of information:

  1. Strategic intelligence – high-level, non-technical information about trends in malicious attacks, and the methods and tools attackers are using to launch them. For example, types of malicious attacks and attackers may vary between regions and industries. Where an organisation is expanding into a new region, gathering and assessing strategic threat intelligence would include identifying trends in malicious attacks and attackers in that region. This would allow management to proactively identify necessary resources such as additional security personnel or threat defense systems, before expanding into the new region.
  2. Tactical intelligence – detailed practical information about the tactics, techniques, and procedures (TTPs) used by malicious attackers to exploit weaknesses in an organisation’s infrastructure, and attack information systems and assets. For example, information about malicious traffic seen by security experts could help a networking team to configure their organisation’s network to block the traffic using methods such as IP blacklisting. The team could also use the information about malicious traffic to check log data for indicators of compromise (IOCs). These activities could even be automated using technology such as next generation firewalls with an intrusion prevention system (IPS).
  3. Operational intelligence – more detailed intelligence about how attacks are initiated, why, and by whom. This helps organisation’s to understand which information systems and assets are more likely to be attacked, and how. For example, information issued by security experts about a type of phishing campaign targetting users working in public infrastructure could help a system administrator working in a state body to pre-emptively issue warnings to users about the campaign, and identify which systems are likely to be exploited if there is a successful phishing attempt. This would then allow a response plan to be developed and implemented to inform personnel, and patch or reconfigure vulnerable systems.

When analysing and actioning threat intelligence, the following policies shall apply:

2. Controlling Changes

Our organisation’s information systems and services may be impacted by new vulnerabilities, changes in security best practice standards, emerging technologies, impacts to supply chains, introduction of new systems and services, etc. Where required, administrators may need to make or suggest changes to our operating procedures, training requirements, system configurations, etc., and may need to initiate new projects in order to meet our business objectives.

When administering our information systems, the following policies shall apply:

3. Protecting Information Systems & Assets

While users are required to use our organisation’s equipment and services in a secure way, administrators are required to design, develop, administer, and monitor our IT systems and equipment securely, ensuring that any risks to the security of our information are minimised in line with our business objectives. The following section sets out our requirements for IT systems and equipment security.

3.1 Maintaining an Asset Inventory

To ensure all IT systems and equipment are appropriately identified and secured, administrators shall maintain an

Equipment Register. The inventory shall include, but may not be limited to:

The Equipment Register shall be reviewed at regular intervals, or when major changes occur, to ensure that it is kept up-to-date and accurate.

3.1.1 Inventorying cloud-based assets

Where assets are predominantly cloud- based, it may not be possible or practical to maintain a full and up-to-date asset list as resources may be spun up or shut down on demand. In this case, the following policies apply:

3.2 Securing & Maintaining Equipment

Physical assets may be physically damaged, tampered with, or removed, resulting in a risk to the security of our IT systems and information. Our physical assets must be appropriately protected from damage in line with our business requirements. The following policies shall apply:

3.3 Controlling Malware

Malware is a common tool used to disrupt and destroy information systems, and can include viruses, ransomware, rootkits, spyware, botnets, etc. which may then contribute to other types of malicious attacks, such as DoS and DDoS attacks. Administrators shall implement appropriate controls to prevent malware from infecting and spreading on our IT systems. Administrators shall apply the following policies for controlling malware.

3.3.1 Anti-virus

3.3.2 Personal and host-based firewalls

3.3.3 Email and web filtering

Email and internet services are frequently used to launch malicious attacks such as phishing and ransomware attacks. Reducing the likelihood that malicious emails will be delivered to users, or that users will be able to browse to malicious sites, reduces the risk of malware infection, and any impacts that may have on the security of our information and information systems.

The following policies apply:

3.3.4 Software and application installation control

3.4 Controlling Removable Media

Removable media includes, but is not limited to, USBs, CDs, DVDs, mobile phone storage, external hard-drives, backup tape media, etc. While removable media, and particularly USBs, are sometimes used to introduce malicious software and applications to company endpoints and networks, their primary purpose is to store and transfer data. Company data stored on removable media may be easily lost or stolen due to its portability. Removable media therefore poses a risk to the security of our IT systems and information, and the following policies shall apply:

3.5 Controlling Mobile Devices

Evercam follows Bring your own device policy (BYOD). Where appropriate, the use of personal mobile devices is allowed as documented in our Information Security Policy. If a company phone is issued the device needs to be appropriately controlled in order to maintain the security of the information and services it may access and store. The following policies for securing mobile devices shall apply to company issued phones.

3.5.1 Mobile phones

3.5.2 Laptops

Evercam follows Bring your own device policy (BYOD) thus, it is expected that each employee is responsible for safe and secure use of their own work devices (laptops). The following rules apply:

3.6 Hardening & Patching

Security vulnerabilities can be introduced to our IT systems and information assets through misconfiguration, software bugs, and other weaknesses. To ensure that our IT systems and information assets are protected against these types of vulnerabilities, the following policies shall apply:

3.7 Secure Disposal

Information stored on assets can potentially be recovered even after they are removed from our organisation’s network, and disposed of. Disposal of any asset containing company data must therefore be done securely, ensuring that any information remaining is no longer readable. The following policies shall apply:

3.8 System Continuity & Information Backup

Situations may occur where an IT system or information asset is compromised or fails, despite having the required controls in place. When this happens, it should be possible to restore the IT system or information asset, and recover the information to an acceptable level. The following policies shall apply for IT systems and information backup:

3.9 Information Protection

There may be situations where additional technical protections are required to further restrict the access, copying, and sharing of sensitive or confidential data stored on, or processed using, our information assets. These additional technical protections are typically referred to as data masking and data loss prevention (DLP), or data leakage prevention, techniques. The following policies shall apply for identifying and implementing suitable information protection techniques, where required:

4. Protecting Networks & Communications

Our organisation’s network is a critical part of providing information services both internally to our users, and externally to our clients and other third-parties, and can be physical, virtual, cloud-based, or a combination. Our network, and communications technologies that we may use as part of that network, shall be appropriately protected to minimise any information security risks in line with our business requirements. The following policies apply for securing our network.

4.1 Secure Network Design

When designing the network, administrators shall apply the principle of defense in depth to ensure that information systems and assets are protected according to their criticality by applying multiple security controls such as those documented in section 3 of this policy, and other network security controls such as IPS, IDS, etc.

4.1.1 Using Wi-Fi

Where Wi-Fi is used in our organisation’s offices, the following policies shall apply:

4.2 External Access & Connections
4.3 Using Encryption

5. Controlling Access

Implementing appropriate access controls for information and associated information assets is essential to minimising the risk of unauthorised access, data breach, accidental modification, and other malicious or damaging activities that may originate from both inside and outside of our organisation. Information and associated information assets must be protected according to their classification, our business requirements, and our legal and regulatory requirements as documented in our Information Security Policy. Access control shall be implemented so that only authorised users have access to information and associated information assets. This section sets out our requirements for access control.

5.1 Managing Passwords

One of the standard methods of authenticating access to IT systems and information is by using password management systems. The use of passwords and account controls has changed over time, and some password management systems no longer require rotation and expiry of passwords, but instead enforce passwords of greater length and complexity, along with secondary authentication such as biometrics, security tokens, device registration, etc. The following policies shall apply for our organisation.

5.1.1 Choosing a password management system

5.1.2 Managing user accounts

5.1.3 Managing privileged accounts

5.1.4 Managing generic accounts

Generic and service accounts may be used to run unattended operations, background services, provide temporary user or guest access, provide access to a shared account, etc. The following policy applies for managing generic and service accounts:

6. Cryptographic Controls

Our organisation primarily uses cryptographic controls to protect the confidentiality and integrity of our data by encrypting it in transit and at rest, and to provide authentication to access IT systems and information assets by using public/private key pairs. This section sets out our requirements for managing cryptographic controls. The following policies apply:

 

Application Encryption Type
Web-portals, websites, SaaS applications using HTTPS Minimum of TLS 1.3 AES 128 bit GCM
Laptop disk encryption Full disk encryption using a minimum of AES-128 bit
Password storage Bcrypt if possible, if not, then a minimum of SHA-512
with unique salt and at least 10,000 iterations
VPN IPsec with a minimum cipher of AES 128 bit GCM

 

6.1 Managing Cryptographic Keys

Our organisation may generate cryptographic keys for the following reasons, and should not be considered exhaustive:

The following policies apply:

7. Logging and Monitoring

To assist in identifying issues such as malicious activity, misconfigurations, incidents, security incidents, service failures, etc. it is critical that our organisation ensure that activities that take place on our organisation’s network, IT systems, and information assets are appropriately logged and monitored. This section sets out our requirements for the auditing and review of logging information. The following policies apply:

8. System Testing

As changes are made to our IT systems, services, and information assets, new vulnerabilities and weaknesses may be introduced. New threats are also emerging on a daily basis. Independent system testing at planned intervals can assist in ensuring that our IT systems and information assets continue to be adequately protected in line with our organisation’s requirements. The following policies for system testing shall apply:

9. Identifying & Reporting Incidents

Administrators play a key role in the identification and reporting of potential security incidents, and are frequently first responders. Where a potential security incident has been reported, either by a user, another administrator, or in situations where an administrator notices a potential incident themselves, the following policies shall apply:

10. Performing Reviews

Like security testing, auditing and review activities are essential to ensure that the development, management, and maintenance of our IT systems and information assets remain in line with the requirements of this policy. Review activities will also assist in identifying potential improvements. The following policies apply for performing reviews: