Information Security
Notes and Policy

Information security notes means leadership must protect corporate information, and the information of customers, associates, and employees, placed in their custody. Leadership’s needs to ensure that every employee understands the corporate concern with the protection of information with a Information Security Policy.

An effective information protection program cannot be solely defined in terms of trust. Rather, it must be based upon the same prudent business practices that applied to earlier manual systems; careful definition of individual responsibilities, separation of controls, maintenance of audit trails, protection of vital records, and access to information limited, based on "need to know".

Information security notes include policies, procedures, controls, reviews, and especially, separation of duties.  They must have real and continued management backing and involvement.

Management must be pro-active regarding information security policy. They must let their people know the practices are important through example. They must take pride in their program. They must help bring about attitudinal changes in their people through strongly administered awareness programs, bringing about a clear understanding of the reasoning behind information security, instilling real concern about information protection, and instilling dissatisfaction with anything less than great execution.

Executive leadership must ensure and apprise newly appointed account management details of the information security policy.

In addition, to be successful with internet security, management must also organize their business with clearly defined roles and responsibilities, with no conflicts of interest. Separation of responsibilities must be an integral part of internet security. Training must be provided as required.

Further, management must also learn to manage "smarter". The multitude of information security notes required to address the major audit concerns and issues, and the associated workload to do so, mandates that management be imaginative in administering the responsibilities to put the information security policies initially in place, and to maintain them on an ongoing basis.

Every employee must understand the rationale behind the information security policies in place. To facilitate that goal, establish an ongoing awareness program to educate employees about the practices. Management should make information protection awareness a job description key element, and a part of each employee’s annual evaluation, at a minimum.

Adherence to Corporate Information Protection Policies, implementation of local procedures, promoting awareness, administering appropriate information access, reviewing access violations, etc., are all administrative concerns.

Make each manager responsible not only for the protection and integrity of assets under their control, but also for compliance with Corporate Information Protection Policies and Procedures. Each manager must make the necessary risk management decisions that consider the unique environment in which their resources are used, and must be prepared to justify their decisions during an audit.

Policy Prologue (Policy)

Our company information is one of most important assets, second only to its employees. Our company information includes all proprietary information, in any form, related to the business of our company that has been created using the resources of our company.

As our company competes in the global marketplace, it is very important that each employee understands the competitive value of our company information security notes and their responsibility to protect it. We must be able to demonstrate that it has exercised due diligence in protecting our company information. In this way we can successfully assert its rights to our company information through legal channels.

This information security policy identifies the high level guidance for Information Protection for all business entities of our company. It is based on the three sides of an Information Protection triangle where the three triangle legs consist of: Information Security, Business Continuity, and IT Compliance.

Information Protection Triangle

The Information Security leg consists of confidentiality and integrity. Confidentiality ensures that our company information is not disclosed to anyone who is not authorized to access it. Linked to this concept is the idea of "need-to-know", authorizing access only to those who can demonstrate a legitimate need for our information. Integrity ensures that information cannot be accidentally or intentionally modified or destroyed.

The Business Continuity leg consists of mitigation, crisis management, and contingency management. Mitigation deals with reducing or eliminating risks. Crisis management deals with the planning and training of people for the survival of the our company team and the business entity following a disaster.

Contingency management deals with planning for the recovery and continuation of critical internal and customer business functions following a service interruption, and the testing of business recovery plans. This segment has also been known as availability in the past, but the scope is much broader today.

The IT Compliance leg consists of practices that do not fall within the scope of the other two legs. information security notes cannot be solely defined in terms of trust. Rather, it must be based upon the same prudent business practices that applied to earlier manual systems; careful definition of individual responsibilities, separation of controls, maintenance of audit trails, protection of vital records, and access to information limited, based on "need-to-know".

Included in the scope of the IT Compliance leg is adherence to the laws and ethics that govern us, i.e., copyright infringement, software licensing, export compliance, etc. These are controls, laws, or ethics principles, and are exactly what auditors look for, which is why the leg is called IT Compliance (being able to pass a stringent audit because the business is controlled, information is adequately protected, and laws are not being violated).

Information Security Notes and Policy

The following identifies Information Protection requirements for our company

1.  Information, in any form, relating to the business of our company, and created using the resources of our company, is an asset owned by our company. Our company information should be protected from unauthorized disclosure, modification, and destruction, whether intentional or unintentional.

2.  All our company employees are collectively and individually responsible for protecting information. They must comply with the policy set forth in this document and any other information protection documents derived from this policy. These include employee codes of conduct and other documents required as part of the terms of employment.

3.  We mandate ongoing awareness and training activities to inform our employees of information protection issues are mandated as part of the ongoing support of information protection.

4.  Our company information, when created, must be assessed according to its value and sensitivity to disclosure, and be managed according to "need‑to‑know". We identify controls that define our information security notes handling, retention, and destruction requirements.

5.  Our company information must bear the legal and business markings as pertinent to communicate ownership, rights, and handling instructions. Some markings include, but are not limited to, the following: Copyright, Trademark, Patent, and the classification level.

6.  Our company information cannot be released to the public through media interviews, publications, seminars, conversations, or in any other manner without a review procedure and management approval.

7.  The computing and communication environment in which we create, process, store, and transmit information must be assessed as to the criticality of its existence and function relative to the business. Contingency management measures based on this assessment must be defined, implemented, maintained, and tested.

8.  Systems and applications which process or communicate our company information must be created and maintained using a system development methodology that addresses the three sides of the Information Protection triangle, where the three sides consist of: Information Security, Business Continuity, and IT Compliance.

9.  Our company and its employees complies with all legal requirements and all contractual agreements requiring information protection, e.g., copyright infringement, software licensing, patents, etc.

10.  Our company and its employees should complies with the laws and regulations within each country where we conduct our business. This includes, but is not limited to import and export regulations and the cross-border transfer of information and technology.

11.  Our company and its employees should comply with our information retention requirements that support the business and support legal requirements.

12.  Our company reserves the right to monitor and audit any and all activity and information security notes within the computer and communication resources utilized in support of our business. We may authorize a third party to exercise this right on behalf of our company.

13.  Our company entities shall conduct an annual self-assessment regarding information protection controls, implementing corrective action where needed.

14.  Suspicion or occurrence of any fraudulent activity, unauthorized disclosure, modification, or destruction of our company information security notes and intrusions to the computing and communications environment must be reported to our company Security

Physical Security

Environment

Data centers and computer rooms must have good physical security and strong protection from disaster and security threats, whether natural or caused by other reasons, in order to minimize the extent of loss and disruption.

Backup media containing business essential and/or mission critical information must be housed off-site at a safe distance from the main site in order to avoid damage arising from a disaster at the main site.

Equipment Security

All Information Systems must be placed in a secure environment or attended by staff to prevent unauthorized access.

Staff in possession of laptop, portable computer, personal digital assistant, or mobile computing devices for business purposes must safeguard the equipment in his/her possession, and must not leave the equipment unattended without proper security measures.

IT equipment must not be taken off the property without proper control.

Physical Access Control

• A list of persons who are authorized to gain access to data centers, computer rooms or other areas supporting critical activities, where computer equipment and data are located or stored, must be kept up-to-date and be reviewed periodically.
• All access keys, cards, passwords, etc. for entry to any of the computer systems and networks must be physically secured or subject to well-defined and strictly enforced security procedures.
• All visitors to data centers or computer rooms must be monitored at all times by an authorized person.
• Automatic protection features (e.g. password protected screen saver, keyboard lock) in servers, computer terminals, workstations or microcomputers should be activated if there has been no activity for a predefined period of time to prevent an illegal system access attempt. Alternatively, the logon session and connection should be terminated. Also, user workstations should be switched off, if appropriate, before leaving work for the day or before a prolonged period of inactivity.
• All staff with separate personal offices that can be directly accessed from a public area and contain Information System(s) should lock the doors when these offices are not in use.
• The display screen of an Information System on which classified information can be viewed must be carefully positioned so that unauthorized persons cannot readily shoulder-surf.

Access Control Security

Data Access Control

• Access to information must not be allowed unless authorized by the relevant information owner.
• Data access rights must be granted to users based on a need-to-know basis.
• Data access rights must be clearly defined and reviewed periodically.
• Access to an Information Security Notes System containing confidential or classified information must be restricted by means of logical access control.

Authentication

• Access to classified information security notes without appropriate authentication must not be allowed.
• Authentication must be performed in a manner commensurate with the sensitivity of the information to be accessed.
• Consecutive unsuccessful log-in attempts must be controlled.

Privacy

Management reserves the right to examine all information stored in or transmitted by company-owned computer systems.

User Identification

• Each user identity (user-ID) must uniquely identify only one user. Shared or group user-IDs are not permitted unless explicitly approved by the IT Security Officer.
• Users are responsible for all activities performed with their user-IDs.

User Privileges Management

• All accounts must be revoked after a pre-defined period of inactivity.
• User privileges must be reviewed periodically.
• At the time that a member of the staff is transferred or ceases to provide services to the company, all related Information Systems privileges must be promptly terminated.
• The use of special privileges must be restricted and controlled.

Password Management

• Business entities must define a strict password policy that details at least, minimum password length, initial assignment, restricted words and format, password life cycle, and include guidelines on suitable system and user password selection.
• Passwords must not be shared or divulged unless necessary (e.g., helpdesk assistance, shared PC and shared files). The risk of sharing passwords is that it increases the probability of security being compromised. If passwords must be shared, explicit approval from the IT Security Officer must be obtained. In addition, the shared passwords should be changed promptly when the need no longer exists and should be changed frequently if sharing is required on a regular basis.
• Passwords must always be well protected when held in storage. Passwords must be encrypted when transmitted over an un-trusted communication network. Compensating controls must be applied to reduce the risk exposure of Information Systems to an acceptable level if encryption is not available.
• Staff are prohibited from capturing or otherwise obtaining passwords, decryption keys, or any other access control mechanism, which could permit unauthorized access.
• All vendor-supplied default passwords must be changed before any Information System is put into operation.
• All passwords must be promptly changed if they are suspected of being compromised, or disclosed to vendors for maintenance and support.

Network Access Control

Prior approval from the IT Security Officer is required to connect an Information System with another Information System under the control of another entity. The security level of the Information Security Notes System being connected must not be downgraded.

Logging

• Business entities must define policies relating to the logging of activities of Information Security Notes Systems under their control according to the business needs and data classification.
• Any log kept must provide sufficient information to support comprehensive audits of the effectiveness of, and compliance of information security notes measures.
• Logs must be retained for a period commensurate with their usefulness as an audit tool. During this period, such logs must be secured such that they cannot be modified, and can only be read by authorized persons.
• Logs must not be used to profile the activity of a particular user unless it relates to a necessary audit activity supported by the IT Security Officer.
• Regular checking on log records, especially on system/application where classified information is processed/stored, must be performed, not only on the completeness but also the integrity of the log records. All system and application errors which are suspected to be triggered as a result of security breaches must be reported and logged.
• Clock synchronization should be configured to keep the clocks of Information Security Notes Systems in sync.

Data Security

Overall Data Confidentiality

• Information security notes that may compromise the security of those systems must not be disclosed to users, or any other third parties, except on a need-to-know basis and only if authorized by the IT Security Officer.
• Staff must not disclose information about the individuals, business entities or specific information security notes systems that have suffered from damages caused by computer crimes and computer abuses, or the specific methods used to exploit certain system vulnerabilities, to any people other than those who are handling the incident and responsible for the security of such systems, or authorized investigators involved in the investigation of the crime or abuse.
• Staff must not disclose to any unauthorized persons the nature and location of the Information Systems, and the information security notes controls that are in use or the way in which they are implemented.
• All stored information classified as confidential or above must be encrypted.
• Business entities must comply with handling in relation to Information Security notes security including, but not limited to, storage, transmission, processing, and destruction of classified information.

Information Backup

• Backup and recovery procedures must be well documented, properly implemented, and tested periodically.
• Backups must be carried out at regular intervals.
• Backup activities must be reviewed regularly.
• Backups must be stored off-site at a remote distance from the main site, and be protected. Backup media should also be protected against unauthorized access, misuse, or corruption during transportation.

Application Security

Application Development & Maintenance

• Application development staff must include information security notes planning and implement the appropriate information security notes measures and controls for systems under development according to the systems' security requirements.
• Documentation and listings of applications must be properly maintained and restricted on a need-to-know basis.
• Formal testing and review on the information security notes controls must be performed prior to implementation.
• The integrity of an application must be maintained with appropriate security controls such as version control mechanisms and separation of environments for development, system testing, acceptance testing, and live operation.
• Application development staff must not be permitted to access production information unless necessary.

Configuration Management & Control

• Change control procedures for requesting and approving program/system changes must be documented.
• Changes affecting existing information security notes protection mechanisms must be carefully considered.
• Installation of all computer equipment and software must be done under control and audit.
• Business entities must ensure that staffs are formally advised of the impact of security changes and usage on Information Systems.

Network & Communication Security

General Network Protection

• Internal network addresses, configurations and related system or network information must not be publicly released without the approval of the concerned entity.
• All internal networks with connections to other networks or publicly accessible computer networks must be properly protected.
• Security measures must be in place to prevent unauthorized remote access to the systems and data.
• Staff are prohibited from connecting workstations to an external network by means of any communication device, such as dial-up modem, wireless interface, or broadband link, if the workstations are simultaneously connected to a local area network (LAN) or another internal communication network, without the approval of the concerned entity.
• Staff must not connect any unauthorized Information System device to an Information System without prior approval as designated by the entity.
• Proper configuration and administration of information / communication systems is required and must be reviewed regularly.
• Connections and links made to other networks must not compromise the information security notes processed at another, and vice versa.
• Confidential/Restricted information security notes must be encrypted when transmitted over an un-trusted communication network.
• Top Secret/Secret information must be transmitted only under encryption and inside an isolated LAN approved by the IT Security Officer.

Internet Security

• All Internet access must be either through centrally arranged Internet gateways or the entities own Internet gateway conforming to internal security standards. In circumstances where this is not feasible or having regard to the mode of use, i.e., such modes of use may include, for example, Internet surfing, email exchange, and the use of official, portable computers while on business. The relevant standalone machines must still be protected by any applicable security mechanisms.
• Business entities may consider allowing Internet access through stand-alone machines, provided that there is an approval and control mechanism at an appropriate level within the business entity.
• Business entities should consider the value versus inconvenience of implementing technologies to blocking non-business web sites. The ability to connect with a specific web site does not in itself imply that users of systems are permitted to visit that site.
• Each entity must clearly define and communicate to users its internet policy in relation to acceptable Internet usage.
• All software and files downloaded from the Internet must be screened and verified with anti-virus software.
• Staff should not execute mobile code or software downloaded from the Internet unless the code is from a known and trusted source.

Email Security

• Each entity must clearly define and communicate to users its email policy in relation to acceptable email usage.
• Systems administrators must establish and maintain a systematic information security notes process for the recording, retention, and destruction of electronic mail messages and accompanying logs.
• Incoming/outgoing email must be screened for computer viruses and malicious codes.
• Internal email address lists containing entries for authorized users must be properly maintained and protected from unauthorized access and modification.
• Email transmission of classified information must be transmitted only on an Information System approved by the IT Security Officer.
• Emails from suspicious sources should not be opened or forwarded.

Protection Against Computer Virus and Malicious Code

• Anti-virus software must always be enabled on all local area network servers and personal computers, and computers connecting to the internal network via remote access.
• Business entities must protect their Information Security Notes Systems from computer viruses and malicious codes. Virus signatures, malicious code definitions as well as their detection and repair engines must be updated regularly and whenever necessary.
• Storage media and files from unknown source or origin must not be used unless the storage media and files have been checked and cleaned for computer viruses and malicious codes.
• Users must not intentionally write, generate, copy, propagate, execute or be involved in introducing computer viruses or malicious codes.
• Business entities must implement proper measures to protect their wireless or mobile computing devices against computer viruses and malicious codes.

Software and Patch Management

• Computers and networks must only run software that comes from trustworthy sources.
• No unauthorized application software must be loaded onto an Information System without prior approval from IT Security Officer as designated by the entity.
• Business entities must protect their Information Security Notes Systems from known vulnerabilities by applying the latest security patches recommended by the product vendors or implementing other compensating security measures.
• Before security patches are applied, proper risk evaluation and testing should be conducted to minimize undesirable effects to Information Systems.

Wireless Security

• Business entities must document, monitor, and control wireless networks with connection to internal networks.
• Proper authentication and encryption security controls must be employed to protect data communication over wireless networks with connection to internal networks.

Security Risk Assessments & Audits

Security Risk Assessment

• Information security notes risk assessments for information systems and production applications must be performed at least once every two years. A security risk assessment must also be performed prior to major enhancements and changes associated with these systems or applications.
• Use of software and programs for security risk assessment analysis must be restricted and controlled.

Security Auditing

• Information Systems must be periodically evaluated by auditors of an independent and trusted party to determine the minimum set of controls required to reduce risk to an acceptable level.
• Auditing of compliance of computer and network security policies must be performed periodically.
• Use of software and programs for security audit analysis must be restricted and controlled.

Security Incident Management

Security Incident Monitoring

• Business entities must establish an incident detection and monitoring mechanism to detect, contain and ultimately prevent security incidents.
• Business entities must ensure that system logs and other supporting information are retained for the proof and tracing of security incidents.

Security Incident Response

• Business entities must establish, document and maintain a security incident handling/reporting procedure for their Information Systems.
• Staff must be made aware of the security incident handling/reporting procedure that is in place and must observe and follow it accordingly.
• All network or systems software malfunctions, information security alerts, warnings, suspected vulnerabilities, and the like, and suspected network security problems, must be reported immediately only to the responsible party according to the incident handling procedure.
• Immediate follow-up actions are required on suspected system intrusion according to security incident handling/reporting procedures.