Infosec Policy
PURPOSE
Information that is collected, analyzed, stored, communicated, and reported upon may be subject to theft, misuse, loss, and corruption. Information may be put at risk by poor education and training, and the breach of security controls. Information security incidents can give rise to embarrassment, financial loss, non-compliance with standards and legislation, as well as possible judgments being made against Cybervergent.
This high-level Information Security Policy sits alongside the Data Protection Policy and other related Information security policies to provide the high-level outline of and justification for Cybervergent’s risk-based information security controls.
The purpose of the Cybervergent Information Security Policy is to:
- Safeguard Sensitive Information pertaining to Cybervergent employees, clients, and any other associated entities, ensuring the prevention of information loss crucial to the company's seamless operation.
- Establish reasonable and apt procedures to uphold the confidentiality, integrity, and availability of Cybervergent’s Information Technology Resources.
- Prescribe effective mechanisms for identifying and preventing any compromise to information security, as well as curbing the misuse of Cybervergent's data, applications, networks, and computer systems.
- Define robust measures that safeguard the reputation of Cybervergent, facilitating compliance with legal and ethical obligations in connection with the connectivity of its networks and computer systems to external networks.
- Provide clear, written guidelines and procedures for the management and control of information deemed Sensitive Information, irrespective of its form—electronic, paper, or other.
- Uphold the integrity and validity of Cybervergent's data, ensuring that it remains trustworthy and accurate.
- Assure the security and protection of Sensitive Information within Cybervergent's custody, whether stored electronically, on paper, or in other formats.
SCOPE
The Information Security Policy and its supporting controls, processes, and procedures apply to all information used at Cybervergent, in all formats. This includes information processed by other organizations in their dealings with Cybervergent.
The Information Security Policy and its supporting controls, processes, and procedures apply to all individuals who have access to Cybervergent's information and technologies, including external parties that provide information processing services to Cybervergent.
A detailed scope, including a breakdown of users, information assets, and information processing systems, is included in the supporting Information Security Management System (ISMS) documentation.
POLICY STATEMENT
It is Cybervergent’s policy to ensure that information is protected from a loss of:
- Confidentiality – information will be accessible only to authorized individuals.
- Integrity – the accuracy and completeness of information will be maintained.
- Availability – information will be accessible to authorized users and processes when required.
Cybervergent will implement an Information Security Management System based on the ISO 27001 International Standard for Information Security. Cybervergent will also reference other standards as required, mindful of the approaches adopted by its stakeholders, including clients and partners.
The risk-based approach to the application of controls includes:
1. INFORMATION SECURITY POLICIES
- A set of lower-level controls, processes, and procedures for information security will be defined, in support of the high-level Information Security Policy and its stated objectives. This suite of supporting documentation will be approved by the Cybervergent Management, published, and communicated to Cybervergent users and relevant external parties.
2. ORGANIZATION OF INFORMATION SECURITY
- Cybervergent will define and implement suitable governance arrangements for the management of information security. This will include the identification and allocation of security responsibilities to initiate and control the implementation and operation of information security within Cybervergent.
Cybervergent will appoint at least:
- An Information Security Steering Committee to influence, oversee, and promote the effective management of Cybervergent information.
- An Executive to chair the Information Security Steering Committee and take accountability for information risk.
- An Information Security specialist to lead the information security function.
- Information Asset Owners (IAOs) to assume local accountability for information management; and Information Asset Managers (IAMs) responsible for day-to-day information management.
3. HUMAN RESOURCES SECURITY
- Cybervergent’s security policies and expectations for acceptable use will be communicated to all users to ensure that they understand their responsibilities. Information security education and training will be made available to all staff, and poor and inappropriate behavior will be addressed.
Where practical, security responsibilities will be included in role descriptions, person specifications, and personal development plans.
4. ASSET MANAGEMENT
- All assets (information, software, electronic information processing equipment, service utilities, and people) will be documented and accounted for. Owners will be identified for all assets, and they will be responsible for the maintenance and protection of their assets.
All information assets will be classified according to their legal requirements, business value, criticality, and sensitivity, and classification will indicate appropriate handling requirements. All information assets will have a defined retention and disposal schedule.
5. ACCESS CONTROL
- Access to systems and information will be controlled and audited, driven by business requirements. Access will be granted, or arrangements made for users according to their role and the classification of information, only to a level that will allow them to carry out their duties.
A formal user registration and deregistration procedure will be maintained for access to all information systems and services. This will include mandatory authentication methods based on the sensitivity of the information being accessed and will include consideration of multiple factors and device settings as appropriate.
Specific controls will be implemented for users with elevated privileges, to reduce the risk of negligent or deliberate system misuse. Segregation of duties will be implemented where practical.
6. CRYPTOGRAPHY
- Cybervergent will provide guidance and tools to ensure proper and effective use of cryptography to protect the confidentiality, integrity, and authenticity of information and systems.
7. PHYSICAL AND ENVIRONMENTAL SECURITY
- Information processing facilities will be housed in secure areas, physically protected from unauthorized access, damage, and interference by defined security perimeters. Layered internal and external security controls will be in place to deter or prevent unauthorized access and protect assets, especially those that are critical or sensitive. This includes where Cybervergent uses third-party services to process information.
8. OPERATIONS SECURITY
- Cybervergent will ensure the correct and secure operations of information processing systems. This will include documented operating procedures; the use of formal change and capacity management; controls against malware; defined use of logging; vulnerability management.
9. COMMUNICATIONS SECURITY
- Cybervergent will maintain network security controls to ensure the protection of information within its networks and provide the tools and guidance to ensure the secure transfer of information both within its networks and with external entities, in line with the classification and handling requirements associated with that information.
10. SYSTEM ACQUISITION, DEVELOPMENT, AND MAINTENANCE
- Information security requirements will be defined during the development of business requirements for new information systems or changes to existing information systems.
Controls to mitigate any risks identified will be implemented where appropriate.
Systems development will be subject to change control and separation of test, development, and operational environments.
11. SUPPLIER RELATIONSHIPS
- Cybervergent’s information security requirements will be considered when establishing relationships with suppliers, to ensure that assets accessible to suppliers are protected.
Supplier activity will be monitored and audited according to the value of the assets and the associated risks.
12. INFORMATION SECURITY INCIDENT MANAGEMENT
- Guidance will be available on what constitutes an Information Security incident and how this should be reported. Actual or suspected breaches of information security must be reported and will be investigated. Appropriate corrective action will be taken, and any learning built into control.
13. INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
- Cybervergent will have in place arrangements to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely recovery in line with documented business needs.
This will include appropriate backup routines and built-in resilience.
Business continuity plans must be maintained and tested in support of this policy. Business impact analysis will be undertaken of the consequences of disasters, security failures, and lack of service availability.
COMPLIANCE
- The design, operation, use, and management of information systems must comply with all statutory, regulatory, and contractual security requirements.
Currently, this includes data protection legislation, the Government’s Prevent guidance, and Cybervergent’s contractual commitments.
Cybervergent will use a combination of internal and external audits to demonstrate compliance against chosen standards and best practices, including against internal policies and procedures.
This will include penetration tests, gap analysis against documented standards, internal checks on staff compliance, and returns from Information Asset Owners.
REVIEW
A review of this policy will be undertaken by the Cybervergent Information Security team annually or more frequently as required and will be approved by the Cybervergent Management.
Updated April 2024