This document outlines an information security policy for Company LLC. The policy establishes comprehensive framework for protecting IT resources and sensitive data. It defines roles and responsibilities for information security and consequences for policy violations.
This document outlines an information security policy for Company LLC. The policy establishes comprehensive framework for protecting IT resources and sensitive data. It defines roles and responsibilities for information security and consequences for policy violations.
This document outlines an information security policy for Company LLC. The policy establishes comprehensive framework for protecting IT resources and sensitive data. It defines roles and responsibilities for information security and consequences for policy violations.
This document outlines an information security policy for Company LLC. The policy establishes comprehensive framework for protecting IT resources and sensitive data. It defines roles and responsibilities for information security and consequences for policy violations.
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 5
Information Security Policy
Template
This template is part of ISACA’s Policy Template Library Toolkit. The policy template should be modified to ensure it conforms to the control posture and reflects the risk tolerance of the specific enterprise environment.
1 FOR INTERNAL USE ONLY POLICY NAME Information Security Policy DESCRIPTION Ensure access is limited to information and information processing resources.
OWNER Chief information security officer (CISO)
EFFECTIVE DATE Immediately
REVIEW FREQUENCY At least annually
INTRODUCTION
Purpose for Policy
The purpose of this policy is to set out principles for ensuring that Company LLC IT resources (people, processes, information, and technology) are appropriately protected. The policy establishes a comprehensive framework for safeguarding the organization’s information assets and ensuring the confidentiality, integrity, and availability of sensitive data.
Scope of Policy This policy applies to: a) All employees, contractors, consultants, temporary staff, interns, visitors, and other workers at Company LLC, including all personnel affiliated with third parties b) All Company LLC locations where IT resources are located or used c) All Company LLC IT resources d) Any information not specifically identified as the property of other parties that is transmitted or stored on Company LLC IT Resources (including email, text and chat messages, and files) e) All devices connected to a Company LLC network or used to access Company LLC IT resources
Exceptions Any exceptions to this policy require submission and approval of appropriate documentation in accordance with the established policy exception process “xxxxx.” Exceptions deemed high risk will be escalated to and reviewed by the “xxxxx Risk Forum” and recorded in the risk register.
GUIDELINES AND REQUIREMENTS
1. An inventory of IT resources must be maintained.
2. Information security risk must be managed through the IT resource life cycle.
3. IT resources must be secured according to their information security risk and the appropriate mitigating controls.
4. All access to IT resources must be approved based on need and periodically reviewed.
5. Information security events and anomalous activities must be monitored and analyzed in a timely manner.
2 FOR INTERNAL USE ONLY 6. Information security incidents must be managed and mitigated in a timely manner.
7. Business continuity and disaster recovery plans must be developed and tested.
8. IT resources must be managed in accordance with all applicable laws and regulations.
9. Remote access will be closely restricted to conducting Company LLC business, require two-factor authentication, and be configured with proper security and encryption methods.
10. The information security program should be defined by a documented and comprehensive framework and include, at minimum, the following security policies: Data Privacy Policy Incident Response Policy Access Control Policy Data Classification and Handling Policy Third-Party Vendor Management Policy Encryption Policy Network Security Policy Security Awareness and Training Policy Physical Security Policy Remote Access Policy Asset Management Policy Change Management Policy Cloud Security Policy Mobile Device Security Policy Data Retention and Disposal Policy Security Monitoring and Logging Policy Business Continuity and Disaster Recovery Policy Configuration Management Policy Password Policy Acceptable Use Policy
11. Security incidents must be immediately reported to the chief operating officer (COO).
12. Information security key performance indicators (KPIs) must be reported to the board at least annually.
13. Information security key risk indicators (KRIs) must be reported to risk management at least quarterly.
3 FOR INTERNAL USE ONLY ROLES AND RESPONSIBILITIES
1. The Company LLC board, audit and risk committee, and IT committee are ultimately accountable for the management of information security risk and are supported by the senior leadership team (SLT) and chief information security officer (CISO), who oversee information security strategy, funding, and resourcing.
2. The chief information officer (CIO) has the authority to:
a. Establish information security strategy and provide governance and oversight. b. Assign management responsibilities for information security.
3. The chief information security officer (CISO) is accountable for:
a. Providing leadership on policies, standards, and guidelines for information security b. Identifying and documenting the information security controls and monitoring their effectiveness c. Management of overall Company LLC information security risk d. Providing cybersecurity advice and user awareness e. Managing information security incidents f. Supporting privacy and compliance security events reportable to the compliance/privacy officer
4. Company LLC senior management is accountable for the management of information security risk within their area of responsibility.
5. Information resource owners are responsible for:
a. Assessing, reporting, and escalating information security risk, including the availability, confidentiality, and integrity of information associated with their IT resources b. Assessing and managing information security risk associated with their third-party service providers c. Overseeing all access to their IT resources d. Management assurance over their information security controls e. Compliance with relevant legal, regulatory, and applicable policy requirements
6. Company LLC employees are responsible for adhering to company security policy and protecting IT resources. Employees are responsible for overseeing and safeguarding information systems and data within their control and ownership. They are required to comply with policies and standards concerning data risk, and it is imperative that they promptly report any potential or actual information security threats and incidents to the relevant departments.
CONSEQUENCES OF POLICY VIOLATIONS
Breaches of this policy and/or the Code of Conduct shall be considered grounds for disciplinary action up to and including dismissal.
QUESTIONS/CONTACT INFORMATION
For questions about the Information Security Policy or any material addressed herein, please email the CIO Policy group (or Information Security or CISO group) at xxxxxxx@CompanyLLC.com.
4 FOR INTERNAL USE ONLY DOCUMENT INFORMATION Document Z:\Policies & Procedures\Policies\IT Policies Location
VERSION HISTORY Version Date Author Additional Information
V1.0 xx/xx/xx
DOCUMENT REVIEW Version Date Reviewed By Additional Information V1.0 Approved
IT Infrastructure Security Risk Assessment Using The Center For Internet Security Critical Security Control Framework A Case Study at Insurance Company
IT Infrastructure Security Risk Assessment Using The Center For Internet Security Critical Security Control Framework A Case Study at Insurance Company
