The Information Security Policy (ISP) document is part of the strategic structure of Visabeira I&D (R&D), hereinafter referred to as the Organisation, thus supporting decision-making by determining priorities within the scope of Information Security.
Top Management, aware of the importance of Information Security and aware of its commitment, is committed to and guides all the organisation’s activities within the scope of the Information Security Management System (ISMS), acting to involve and motivate all employees for:
Information and its supporting processes, systems and networks, which are essential assets for an organisation’s business. Confidentiality, integrity and availability of information are essential elements for preserving the Organisation’s competitiveness, turnover, profitability and image in the market.
The Organisation, aware of the importance of preserving the confidentiality, integrity and availability of information when carrying out its functions and reaching its goals, undertakes to manage and continually improve an ISMS in order to comply with all regulatory, legal and other Information Security related requirements.
The Organisation keeps best practices, standards, procedures and controls in place, establishing a process of ongoing improvement that is sustainable over time. This strategy allows top management to create a culture of prevention, supporting the continuity of business processes, guaranteeing the integrity, confidentiality and adequate availability of all its information assets that are relevant to the company.
In this sense, all documents in terms of their structure (e.g. specific policies, rules, regulations, processes, procedures, models, evidence) must respect the principles of this ISP, in regards to the concerns and considerations established.
1.2 Purpose
Information Security is relevant to all types of information and to all systems and applications which store, process or transfer it, whether in the context of simple paper-based indexing and archiving systems or specialised, technologically advanced systems.
Thus, this document applies to all the Organisation employees, regardless of their function, position and contract relationship, as well as to all suppliers, partners and other users who have access to a workstation or information system within the Organisation.
1.3 Goal
The purpose of this document is to explain the Information Security structure of the Organisation in order to meet the following goals:
a) Define the Information Security structure, in line with its Organisational Model.
b) Provide a culture of security within the Organisation’s community.
c) Raise awareness among users as to the importance of Information Security.
d) Promote Information Security as an indispensable goal to be achieved.
e) Assess information security risks in order to implement the necessary controls in order to reduce risks up to the established acceptance level.
f) Ensure and reinforce credibility and good reputation among employees, business partners and the general public.
g) Protect information from damage resulting from intentional acts, negligence, technical failures or force majeure.
Review and Communication
The Information Security Policy is reviewed whenever there is a change in the scope of Information Security, in the internal organisation, in the legal framework or on an annual basis, in order to ensure it suits the Organisation. The review must be communicated to all employees and made available to all interested parties whenever requested.
2 Information Security
2.1 Definition of Information Security
Information is paramount for the Organisation. Thus, whatever the form and means of transmission, collection and storage of information, it must be suitably protected.
Information Security aims to protect information from a wide range of threats through a risk management process, guaranteeing the continuity of organisational activities and maximising the return on investments made, ensuring compliance with the international standard ISO/IEC 27001.
Based on the ISO/IEC 27001 standard, Information Security is formally defined in the Organisation as the preservation of the confidentiality, integrity, availability and privacy of information.
It is important to clarify that the four basic pillars of Information Security for the Organisation are the ownership of information and information assets in the following measures:
Confidentiality: Ensuring that information is only accessed by people who are authorised to do so.
Integrity: Ensuring the accuracy of information and processing methods.
Availability: Ensuring that authorised users have access to the corresponding information and assets whenever necessary.
Privacy: Ensuring the fundamental right of each individual to decide who should have access to their personal data.
These concepts are complementary and must be understood as a whole. Thus, only when it is certain that information is accessible only by those who are authorised to do so, that its integrity and completeness is rigorous and that, when necessary, all authorised users have access to it with due privacy, can it be said that information security is effective.
This concerns all levels of the Organisation, and its effectiveness depends on the following points being made aware of by the entire community:
Awareness-raising: The Organisation’s community must be aware of the need to secure infrastructures and systems, and what their role can be in maintaining and increasing this security.
Responsibility: The entire Organisation’s community is responsible for infrastructures, systems and information security.
Performance: The Organisation’s community must act swiftly and in cooperation to prevent, detect and respond to Information Security incidents.
Ethics: The Organisation’s community must respect the legitimate interests of others.
Democracy: The security of infrastructure, systems and information must be compatible with the essential values of a democratic society.
Risk Analysis: Risk analyses must be conducted in order to identify threats and vulnerabilities and consequently define an acceptable level of risk. Secure design, development and implementation: Security must be incorporated as an indispensable element of infrastructure, systems and information.
Security management: A global and detailed approach to Information security management should be adopted, involving the entire Organisation community in a coordinated and comprehensive manner.
Privacy Management: Personal Data must be safeguarded throughout its entire life cycle.
Revaluation: The security of the infrastructure, systems and information must be reviewed and reassessed periodically, modifying the Information Security policy, rules, regulations, processes and procedures whenever necessary.
2.2 Commitment to Information Security
The strategic vision of Information Security in the Organisation goes beyond the implementation of specific controls. To this end, actions are in line with the principles and goals set out in the Information Security Management System and managed in an integrated manner.
In order to ensure compliance with the organisation’s strategic goals, the Senior Management is committed to:
Ensuring compliance with legal regulatory requirements in the area of Information Security.
Ensuring that the Organisation’s information system governance, management and operation actions are in line with the Information Security organisational model.
Establishing, implementing and continuously improving Information Security as a whole and, in particular, the Information Security Management System.
The benefits of establishing Information Security are the reduction in risks to the business, increased compliance with applicable legislation and regulations, protection of reputation, greater stakeholder confidence, as well as effective management of the Organisation’s resources.
Information Security in the Organisation is achieved by implementing a set of controls which can be: policies, standards, procedures, organisational structures, software functions or others.
These controls are necessary to ensure that the Organisation’s specific security goals are met and are based on the international standard ISO/IEC 27001, made up of the following control areas:
Organisational Controls;
People controls;
Physical controls;
Technological controls
2.3 Information Security Goals In order to continuously improve its performance and the effectiveness of its ISMS, the Organisation has defined specific Goals setting targets to be achieved, in line with its strategic goals and with Information Security Policies and Procedures.
The Organisation’s Information Security Goals are:
Assessing information security risks accurately in order to obtain and implement the necessary controls to reduce the risks to the level of acceptance set by the Organisation.
Create a culture of security through training and awareness-raising for all employees who have access to confidential information considered within the scope of the ISMS, but also for employees in general.
Manage all profiles, access rules, competences and functions of all employees within the scope of the ISMS.
Define and implement the technical and organisational controls needed to guarantee the confidentiality, integrity, availability, auditability and traceability of information.
Take into account information security as a process of continuous improvement, which makes it possible to achieve increasingly advanced levels of security.
3 Implementation of the Information Security Policy
3.1 Context
Information and all its support processes, systems and networks are essential assets for an organisation’s business. Confidentiality, integrity, availability and privacy of information are some of the fundamental elements for preserving an organisation's competitiveness, turnover, profitability and image.
Currently, the security of information systems is increasingly being put to the test by various types of threats from different sources, including electronic fraud, espionage, information leaks, sabotage, hackers and DoS (Denial of Service) attacks, which are becoming increasingly sophisticated and ambitious.
The dependence on information systems and services shows that organisations are increasingly vulnerable to security threats. The use of public and private networks as well as the sharing of information resources are factors which contribute to the increased difficulty in managing access and its security.
Information security requirements are identified through an assessment of risk to information security. Carrying out a risk analysis helps to determine exposure and consequently, to prioritise the most relevant risks, making it possible to identify suitable mitigation measures and suitable controls.
The ISP is therefore the guiding pillar for the development of any document or decision-making at a tactical or operational level and is supported by Information Security Policies, Procedures and Rules, Standards and Work Instructions.
3.2 Non-compliance
Actions which violate the ISP, as well as other ISMS-related policies, procedures and rules, standards or work instructions, which breach Information Security controls, are subject to civil, criminal and administrative sanctions, in accordance with the legislation in force, which may be applied separately or cumulatively.
Penalties are applied in proportion to the action taken in accordance with the procedures for disciplinary proceedings. Depending on the type of offence, disciplinary action may include, for example, suspension or interruption of the relationship between the Organisation and the parties involved.
In all cases, the provisions of the Criminal and the Civil Codes apply, as well as the Organisation’s internal rules, regulations, processes and procedures.
3.3 Handling Exceptions
Information Security goals are easily achieved if the requirements and the respective processes and procedures are identical for all the operation’s organic units, functional units and services.
However, standards, processes and procedures may not even be feasible for a specific unit, ongoing project, new equipment or application installed. It is foreseeable that, within the scope of the Organisation’s activities, there may be situations or scenarios that cannot be dealt with effectively within the requirements established in the ISP or other Information Security documentation.
Although deviation from centrally established processes and procedures is discouraged, at times the Organisation’s established processes and procedures can and should be changed, provided that the alternative presented is justified and provided with sufficient resources to properly implement and maintain these alternative requirements.
In order to deal with this type of situation in a timely manner and at the same time guarantee the security of the Organisation’s infrastructure, systems and information, it is mandatory to comply with the Organisation’s ISMS Change Management Procedure.
4 Information Security Organisation
4.1 Documented information In order to meet the requirements of the ISO/IEC 27001 standard, the Organisation has drawn up a set of specific policies and procedures and their main controls.
The creation, maintenance, critical analysis, improvement and distribution of all ISMS documents is the responsibility of the Security and Privacy Committee, which consults other relevant areas whenever necessary.
4.1.1 Document Structure To ensure the effective management of Information Security, there is a document structure in place responsible for guiding, planning, implementing, maintaining and improving Information Security practices.
This structure covers various levels in order to decentralise Information Security management responsibilities to the various areas of the Organisation. The levels for which the ISMS implemented by the Organisation is documented and maintained are:
Level 1 General guidelines and commitments of the Organisation in its internal context and its relationship with the external context.
Level 2 Base documents which represent and explain the functioning of the ISMS, thus providing support for all other information security documents, taking into account the requirements of the reference standards, applicable legal requirements and applicable working methodologies.
Level 3.1 Policies which disclose the guidelines, controls, duties and specifications for the various areas of information security.
Level 3.2 Procedures serving as a means of clarifying details and specific aspects of activities or tasks within a given policy. Work instructions are documents with detailed descriptions of “how it’s done”, documents to consult when a certain task, activity or service needs to be carried out.
Level 3.3 The records are the result of filling in a form. Through the records it is possible to have elements for assessing the performance of the ISMS, and they are used to confirm the compliance of the measures taken. The Information Security document structure is defined in the Organisation’s Information Security Documentation Framework.
The Information Security document structure is defined in the Organisation’s Information Security Documentation Framework.
4.2 Responsibilities
The Organisation defines the roles, responsibilities and authorities of all employees in the following documents:
Functions Manual;
Processes;
Information Security Standards and Procedures;
Operational documents (e.g.: Work Instructions, Records, among others).
The specific responsibilities and authorities within the scope of Information Security should be consulted in the respective documents that support the ISMS. However, all users, including Senior Management and all those who are part of the Information Security organisational structure, have a responsibility to maintain responsible behaviour consistent with the principles and goals of Information Security. To this end, employees must be familiar with the operating instructions, rules and penalties of the service they use, and must also:
Fully respect and accept the rules and responsibilities defined in this document, as well as in the Organisation's internal rules and procedures on the use of information processing resources, including in particular, Information and Communication Technology resources.
Comply with the code of professional conduct, as well as the requirements of the law in force relating to activities in the development sector, especially data protection law.
Respond for acts that violate the rules for using computer resources and are therefore subject to the penalties defined in the documents relating to the use of these resources and, if applicable, to the penalties imposed by the legislation in force.
Report immediately any fault or non-compliance identified in the Information Security in accordance with the incident reporting procedure.
Not impersonate other person or disguise their identity while using computer resources.
Take responsibility for their electronic identity, passwords, authentication credentials, authorisation or other security device, and not share this information with anyone.
Respond for the improper use of their account and computer resources under any circumstances.
Disclose confidential and internal information only in the situations provided for by law, and to this end to seek ethical and legal advice.
Ensure and apply good practices in the management and maintenance of equipment and information processing.
KPIs make it possible to assess information security performance and the effectiveness of the controls implemented in the ISMS. KPIs follow a SMART methodology, “Specific, Measurable, Achievable, Relevant & Timebound” and adhere to the following principles:
Aligned with the ISP and information security goals.
Achievable: produce comparable and reproducible results during the evaluation.
Accurate: be reliable and measurable.
KPIs are monitored, measured and reviewed annually during the Management Review to check whether or not they remain relevant and necessary for monitoring the ISMS and information security controls.
4.3.2 Internal audit
Internal audits of the ISMS are planned annually by the Information Security and Privacy Committee in order to monitor the effectiveness and efficiency of the policies and controls applied, as well as contributing to ongoing improvement of the ISMS.
Every year an audit is scheduled in the area of Data Protection and another in the area of Cybersecurity, following the GDPR and ISO/IEC 27001 benchmarks, respectively, but also good market practices in information security and cybersecurity. The results of the internal audit are reported to Senior Management, Business Management, the Information Security Manager and the Information Security Team via an audit report.
4.3.3 Management review
The ISMS implemented by the Organisation is reviewed at least once a year by the Information Security and Privacy Committee in order to guarantee its continued applicability, suitability and effectiveness. This review is based on the requirements of the ISO/IEC 27001 standard.
5 Information Security for Suppliers
In order to ensure the protection of the Organisation’s assets, an appropriate and controlled process has also been implemented for contracting and maintaining suppliers, based on documents specific to the ISMS, establishing the principles and best security practices to be applied in relations with suppliers.
5.1 General issues The principles contained in the implemented processes include:
External entities, as service providers, understand their responsibilities and functions, and these are suitable and minimise the risk of theft, fraud or misuse of information or information processing infrastructures;
Contracts with suppliers include confidentiality clauses, whereby they undertake to keep the terms of the agreement strictly confidential, as well as any other information they obtain about the company and its activity, including all organisational, technical or financial information;
External entities which use the information processing infrastructures must sign an agreement defining their roles and responsibilities in relation to Information Security, whenever this definition is not included in the contracts and agreements signed.
5.2 Review and Monitoring of Services
The services, reports and records provided by third parties are monitored and reviewed annually to analyse information security events, failures and operational problems. The data obtained, subsequently reviewed, will be an input for the evaluation of third parties
5.3 Changes to Services
Changes to service provision, including maintaining and improving existing information security policies, procedures and controls, must be managed taking into account the sensitivity of the systems and based on a reassessment of risks. The Organisation will control how changes to the services provided by suppliers are developed and implemented.
PDCA Cycle of the Information Security Management System
The PDCA cycle is a methodology that helps in the diagnosis, analysis and evaluation of problems for which organisations may have solutions and thus ensures that their processes are adopted using suitable resources. This methodology is therefore used in the SGSI, as can be seen in the Image below.
6.1 Continuous improvement The SGSI is subject to periodic reviews previously scheduled or justified by significant changes, in order to provide an improvement in applicability, suitability and effectiveness.
7 References
This document was elaborated based on the best practices and market standards, namely:
