1.1 Purpose of this document
The purpose of this policy is to establish a framework for managing risks and protecting the company’s Information Resources (IR) against all types of threats, internal or external, intentional or unintentional.
1.2 Goals for this document
This document should ensure the establishment of a Risk Management governance framework and implicitly ensure that your Information Security Program implements adequate:
- Availability and accessibility
- Compliance with all relevant laws and regulations
- Compliance with all internal requirements, policies and standards
- Control and reporting of all of the above.
1.3 Management commitment to information security
The Board of Directors, the CEO and the IT Manager realize how important Information Security is to GeoSLAM, and have the responsibility for:
- Defining the risk appetite and acceptable risk levels
- Budgeting so that risks can be managed according the risk appetite
- Publishing and promoting internally the Information Security Policy
- Formulating the Business requirements for strategic systems in writing
- Defining responsibility for strategic systems including documentation requirements for these
- Subjecting Third parties to recurring audits and managing risks for third parties and third party subcontracting.
- Establishing and maintaining Business Continuity and Business Recovery plans, which must be tested annually.
1.4 Scope and target audience
Documentation or processes should always be implemented according to the ISO 27001, ISO 20000 or similar standards, as relevant to each case.
The Information Security Policy covers all IR’s that belong to or are in use by the company.
The Information Security Policy covers and applies to all employees of the company, including all contracted third parties including outsourcing vendors.
This means that Third parties in an outsourcing or cascaded outsourcing situation must comply with this Information Security policy and it’s the responsibility of the IT Manager to ensure this and to make sure that this compliance is reported to The IT Manager periodically.
2. Responsibility and formal organization
The CEO and the Board of Directors are ultimately responsible for the Information Security and thus also for the implementation of this policy. Responsibility for the implementation can be delegated to The IT Manager.
The IT Manager is responsible for general management and decision making within Information Security, and is responsible for:
- Information Security
- Updating relevant security documentation within own areas of responsibility
- Making recommendations about needed changes to the Information Security Policy
- Managing Information Security for the company within the framework set out by this policy
- Creating general security procedures and guidelines,
- Ensuring by means of training and communication that relevant employees have a solid knowledge and understanding of the Information Security Policy and Information Security in their daily work/life
- Ensuring that relevant laws and regulations plus the Information Security Policy are followed
- Reporting on Information Security status and security events within the company to the CEO
- Updating the security related policies such as BCP and BRP
- If relevant escalating security matters to the Board of Directors. There needs to be a legal and pre-approved path for this escalation. This path must be useable without fear of reprimand.
- IT department guidelines and procedures, system specific documentation
- Ensure that all documentation within their own domain of responsibility is updated and relevant
- Be responsible for the daily operation of the individual IT-systems, infrastructure and strategic assets within their own domain
- Implementing threat prevention and threat treatments in line with budgets and risk appetite and risk treatment recommendations
- Ensure that the demands and requirements for IT-systems, procedures and critical assets are realistic and attainable. If this is not deemed to be the case, it is the responsibility of the IT Responsible to enter into dialogue with the Information Security Responsible about the matter (and make adjustments until these requirements are appropriately defined.
- Balance spending on threat prevention, threat detection and threat remediation.
The individual manager/team leader is responsible for compliance with the Information Security Policy, procedures and guidelines within his/her own group of personnel.
The individual employee is responsible for carrying out daily tasks within the framework of this Information Security Policy.
The individual employee is also responsible for reporting any incident that the employee may be witness to or cause. The individual employee is responsible for using IR’s with care.
2.1 Conflicting tasks and responsibilities
It is the intent of the company to structure the organization in such a way as to avoid placing potentially conflicting tasks upon the same individual; however the company must take into account the size of the organization, availability of qualified resources and costs.
3. Enterprise Threat modeling
Enterprise threat modelling means the exercise of identifying who could be a threat to your organization, what their motives might be and how they would go about accomplishing these motives. It is important to note that threat modelling isn’t something you only do for applications, but something you do for the entire enterprise, hence “enterprise threat modelling”
This threat modelling should include all of the three aspects of the CIA triad and include also for example system failure and manual error. It should model expected or unexpected attackers against the company, their likely TTP (tools, tactics and procedures), their motivation and intent and what they might be likely to do if they breach the company. Using the threat modelling proactively can be used for budgeting investments and for prioritizing tasks in the day to day work by IT and Security personnel.
4. Enterprise Risk Management
A formal risk management framework such as ISO 27001/27005 should be used for Enterprise Risk Management.
Based upon risk assessments and risk/consequence estimations preventive, discovering and corrective security controls should be implemented to iteratively until residual risks are within acceptable thresholds i.e. within the risk appetite. The areas to be included in risk assessment are:
- Management responsibility
- Organization of Information Security
- Asset Management
- Human resource security
- Physical and environmental security
- Data Protection
- Communications and operations management
- Access control
- Information systems acquisition, development and maintenance
- Information security incident management
- Business continuity management
4.1 Application Security
All business applications shall be developed using a framework for application security such as an example, OpenSAMM.
4.2 Data Classification
Different classification levels for assets/systems should be defined, for example:
4.3 System/Business Application/Infrastructure Prioritization
All systems/business applications/infrastructure should be assigned a business criticality between 1 and 3 where 1 means business critical and 3 means a not very critical system/application/infrastructure element. Example of a criticality rating of 3 could be a test system.
Only the business part of the company can prioritize these appropriately, so it’s a project that Information Security can lead but needs also The IT Manager and relevant business stakeholders. A list of all relevant systems/business applications/infrastructure with a given priority is required and should be updated annually.
4.4 Business Continuity & Business Recovery Planning
To reestablish a business as usual condition following a disaster or a major incident, the company must maintain a Business Continuity Plan and a Business Recovery Plan. The plans must ensure that the company can reestablish systems and data within a predefined time frame. The plans must contain detailed emergency plans for all infrastructure within scope. To accomplish this a scope must be established and approved by The IT Manager.
The BCP and BRP must be tested at least once per year by for example moving the active systems to the disaster recovery site or by conducting a similar simulation.
- The maximum accepted downtime for priority 1 systems is: 1 hour
- The maximum accepted downtime for priority 2 systems is: 24 hours
- The maximum accepted downtime for priority 3 systems is: 48 hours.
The CEO or The IT Manager is responsible for defining acceptable downtime. IT responsible and Information Security responsible are responsible for creating plans that can implement the requirements and testing them.
4.5 Continuous improvement
All policies, risk assessments, and controls should be periodically reevaluated/audited at least annually and whenever appropriate to ensure a continuous improvement of Information Security.
5. Outsourcing and Vendor Management
The overall goal of defining the rules of outsourcing and vendor management is to:
- Retain control of information resources in an outsourcing situation
- Manage the handover securely to a partner that has been through the necessary audits/controls/due diligence
- Attain the information/tools required to be able to monitor and report on expected significant benefits including any expected financial benefits related to the outsourcing services.
The purpose of this policy is also to satisfy legal and regulatory requirements and to manage the risks involved with outsourcing of significant activities.
Outsourcing should be used:
- Only in a situation where this does not in any way impact customers/clients negatively
- Strategically to obtain pre-defined significant benefits, the realization of which must be transparently verified and reported on periodically
- Only if the process of entering into and handing over responsibility to an outsourcing partner is controlled and managed
Entering into an outsourcing agreement does not remove final responsibility from the CEO of GeoSLAM and the IT Manager.
This document with version number 3.0 has been originally approved and was empowered on the date: 31 January 2017
7. Definitions and abbreviations
Significant outsourcing activity: Outsourcing of an activity that has a significant size either in financial terms or in impact on the company’s operations and/or clients.
Information Resources (IR): any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, and printers. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
Incident: Any event that does or could have caused an unintentional effect on the company’s IR with regards to the CIA triad Confidentiality, Integrity and Availability. Covers also security incidents.
SLA: Service Level Agreement. An agreement with a third party.
OLA: Operational Level Agreement. A company-internal SLA.
BCP: Business Continuity Planning.
DR: Disaster Recovery
Date 31 July 2021
Review date 31 July 2022