Information security policy

Introduction
The objective of this policy is to protect the confidentiality, integrity and availability of information and information systems under our control. To this end, we have established and implemented an information security management system in accordance with ISO/IEC 27001:2013.

Scope
This policy applies to all business units, office locations, business functions, employees, contractors and suppliers.

General policies

  • Protect the organisation’s people and property
  • Protect our client’s information and property
  • Comply with all relevant laws and regulations
  • Fulfil or exceed our contractual obligations
  • Educate employees on their responsibilities
  • Report security incidents and concerns immediately
  • Maintain a business continuity and disaster recovery plan
  • Conduct regular audits for compliance and corrective action
  • Risks will be routinely assessed, prioritised and mitigated
  • Establish a security board for regular review and improvement

Specific policies

  • An accurate inventory of information assets shall be maintained.
  • Access to information facilities, systems and networks shall be limited to authorised users.
  • Privileged access rights will be restricted to qualified staff on a need-to-know basis.
  • Use of information systems shall be for legitimate business purposes only.
  • Passwords must be complex and must not be disclosed or shared.
  • Equipment shall be protected from loss, damage and theft.
  • Antivirus software shall be operational and up to date.
  • Firewalls shall be enabled with approved rules.
  • Remote access will be secured via approved VPN software.
  • Wireless access must be secured with WPA2 and/or VPN.
  • Software security patches will be installed as soon as possible.
  • Backups will be maintained and tested regularly.
  • The processing of personal data shall be controlled and documented.
  • Information will be classified according to its sensitivity.
  • Classified information must not be disclosed without authorisation.
  • Sensitive information must be adequately protected during transit and storage.
  • Use of information systems and networks will be routinely logged and monitored.
  • Security requirements will be established and agreed with relevant parties.
  • Security incidents and concerns must be reported immediately.
  • Employees shall be subject to disciplinary action for non-compliance

This policy is supported by detailed topic specific policies, processes and procedures which are mandatory reading for responsible parties. Employees shall be subject to disciplinary action for non-compliance.

Authority
The board of directors supports and endorse this policy and will ensure that appropriate resources are made available for its operation and enforcement.