Information Security Policy

Information Security Policy

1. Making of and the Review of the Information Security Policy

a. The leadership (such as the board of directors) makes the Policy. Being a trustee of interested parties and stakeholders of the organization, the top management is accountable to its own strategic vision and commitments to them (relevant interested parties). These interested parties are, therefore, the audience of the policies and of the disclosure of achievement of these policies. Accountability of Information security policy or topic specific polices lie only with the top management. This accountability can't be delegated.

b. The top management defines a Structure of the Organization.

Organization Structure means, creating the roles (or nomenclature or title) for executives and the relationships in them. Roles are job titles that are self-explanatory for the function and the level (doing/reporting/decision making).

  • Going further, the top management assigns the responsibilities to the Executive Management with defined roles in the organization, to manage (plan, implement, track/monitor and control) the Processes under their control. As a measure (of performance) of the responsibility, the objectives and targets for executives are mutually decided and described so that the top management and executives have no gap of understanding.
  • Depending on the role, responsibility, the top management delegation of the authorities or enabling the executives with appropriate technical, administrative and financial powers so that they can independently and by use of a governance model, perform work and make decisions, to achieve the objectives and targets.

c. The top management reviews its policies with the executive management. Review is the evaluation of the management system (PDCA model used in the Work Processes of an organization) for its suitability, adequacy and effectiveness to confirm that the policies (commitments made by the top management, to relevant interested parties) are well implemented and achieved (or no policy breaches).

Review is performed by the top management on its policies or what it has committed to interested parties. On the other hand, evaluation of the planning and control (tracking/monitoring of the process/function objectives in operation and internal audit to detect deviations between plan/process and do/operation; and corrective action taken on the deviations) is a call of the executive management; and result of these are finally reported in the Review.           

d. The leadership (top management) presents success story of its policies by regular and appropriate disclosures (like annual reports, other publications) to the interested parties (whose needs and expectations were the reason behind making the policies).

?2. Why is a documented Information incomplete without communication and acknowledgement of the parties concerned?

 ISO (standards body) realized that documenting management system manuals are good for nothing. This requirement in management systems no longer exists after 2015. 
 
It was realized that working documents (software tools, content on website, agreements, instructions, displays - static and dynamic and signages) wherever needed or at the point of use, are good enough, to create visibility of the processes and no manual is therefore necessary or useful. 

Excessive (or unusable) documents are not only unnecessary but costly and add to errors and issues of compliances.         

Unless the document is communicated and acknowledged by its users or the parties concerned, any document is immaterial.

Unless a document is communicated, it can't be acknowledged and can't be understood and can't be used and can't achieve its purposes. Without this workflow, there is no visibility of relationship among policies (commitments and strategic vision - leaders) and process (planning and control - managers) and operation (doing - by workers). Errors in the management system can't be detected and no improvement possible.

Helpful tips

  • Avoid manual duplication or copy paste of information in documents. It can be a source of error.
  • Body of a document must have a suitable/self-explanatory title/name of document, copyright/name of organization (the approver), date of its creation (or last updated) and version (change control). At a particular place, reference of number and date of the board meeting (in which the policies are approved) can be written.
  • Policy can have its custodian (responsible for document control, communication and for controls/oversight of relevant processes). For example, Privacy policy is approved by the Board but Data Protection Officer, responsible for personal information of interested parties in the business, is the custodian.
  • Create document and store it in a secure server. There is a central body responsible for control of documents and is known to people in an organization. This body (document controller) holds repository of controlled document with related information.
  • It is a link between document owners/approvers and custodians/executives responsible for implementation through its users or publishers. Document controller can specify rules of document classification and those with rights to access it in the server for legitimate uses.
  • When changes in document occur, organization knows who all are to notify and seek acknowledgement.
  • Executives, with rights to access the server, can create a hyper-link for use in the communication or publish it and seek acknowledgement from parties concerned including users. Executives must prevent any unauthorized document in uses of the business.
  • Examples how policies are communicated are, a. publications at website for the public, b. welcome emails to customers and employees when they are on-boarded, c. templates of agreements d. communication and acknowledgement i.e, click at hyperlink to read/terms of use or accept the policy tab before login).

3. What is requirement of the standard (ISO 27001:2022) for the policies and need of its documentation, communication and acknowledgement?

?5.2 of ISO 27001:2022), Policy

Top management shall establish an information security policy that:

- is appropriate to the purpose (SELF see 4.1 Understanding the organization and its context of the organization (see 4.3 The scope of the information security management system);

- includes a commitment to satisfy applicable requirements related to information security; (EXTERNAL see 4.2 Understanding the needs and expectations of interested parties

- includes information security objectives (INTERNAL see 6.2 Information security objectives at relevant functions and levels and planning to achieve them) or provides the framework for setting information security objectives.

- includes a commitment to continual improvement (SELF, EXTERNAL and INTERNAL see 10.1 Continual improvement) of the information security management system.

The information security policy shall:

- be available as documented information (see 7.5 Documented information). Here the audience is SELF -originator of the thought. leaders);

- be communicated (see 7.3 Communication) within the organization (see 5.3 Top management shall ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated). Here the audience is INTERNAL - planners and controllers, managers);

-be available to interested parties (see 4.2 Understanding the needs and expectations of interested parties), as appropriate. Here the audience is EXTERNAL, relevant interested parties);

Annex A Control of ISO 27001:2022) A.5.1 Information security policy (see 5.2 Policy) and topic-specific policies shall be DEFINED, APPROVED by management, PUBLISHED, COMMUNICATED to and ACKNOWLEDGED by relevant personnel and relevant interested parties, and REVIEWED at planned intervals and if significant changes occur.

4. Understanding of Concepts and Terms in Management System

4.1 What is the difference between Policy and Processes?

A Policy or policies are top management's commitment to pursue its organizational strategic direction and to fulfil requirements of external interested parties relevant in business which are agreed or legal. ?Process is made of defined steps of work needed (within scope of an organization) to achieve intended outcome i.e., product and services of the business. For example, honesty is a policy or commitment but, playing carom board or buying and soling or servicing customers are the work processes in which the policy (honesty) is applied and maintained. Like the example of honesty, quality, environment or information security are also the policies. Management System or PDCA model gives an element of assurance that Processes (of work) are managed in a way to meet the Policies (commitments). ?

Commitment and processes of work are related but different. Top management, like head of a family makes the commitment on behalf of organization to relevant EXTERNAL interested parties whereas the processes are managed INTERNALLY by relevant functions and processes (of work in the business) needed for its product and services.

Accountability of a policy or commitments formally made by the top management is, towards EXTERNAL interested parties. Work processes (of work), on the other hand, are INTERNAL and the objectives and targets of a process act as safety guards/defense/framework that the policy is never breached. The term 'framework' is used for a cage or protection to protect animals in a zoo, from external threats. Objectives and targets of Functions/Processes defend the Policy of organization, from all directions.

Information security (to prevent risk of any loss of integrity, confidentiality and availability of information) is a policy or commitment. Sales, design, software development, and production and services and so on are the functions/processes of an organization in which information is acquired, produced, used and stored, transferred. Policy is for the organization and objectives and targets are for the functions/processes which form parts of organization.

4.2 What is the difference between Business and Support Processes?

Information technology, human resources and office administration are examples of the support functions or processes. These provide services from the back to all business processes in the frontlines like sales, product development, production and delivery and so on.

Support means providers of services to the business processes to give relief from some work or shared services. If there are no support functions like human resource department or information technology department in an organization, business processes like sales and production would do work of recruitments and managing employee and data management, all by themselves, separately.

Small companies don’t need/have support functions and each of the business processes support itself. But, middle and large sized organizations, prefer to create support functions/processes. Because of them, business processes get relief from of some of its work which are common or shared services. Information technology and human resources, being support function can service only internal users or internal customers in an organization.

4.3 What is difference between Policy and Objectives?

A policy is organizational and declared by the top management but, objectives and targets are specific to functions/work processes which are parts of organization by executive management or those appointed by the top management and given responsibility and authority for planning and control of work.

Information security is a policy which is a commitment of the top management on behalf of the organization to relevant external interested parties such as customers, public, employees and suppliers/ service providers and regulators and so on. ?Information Technology department is one of the support processes or part of an organization that provides services of data management to relevant internal users of relevant business processes such as sales, product development, production and delivery and so on.

When an organization says Information Technology Policy, it actually means Information Technology Objectives and Targets keeping in view the Information Security Policy of the organization of which it is a part.

4.4. How/who makes information security policy and who/how managed?

Top management or the board of an organization is accountable for affairs of the organization and its information security policy. Chief Information Security Officer is not a policy maker but an appointee of the top management for governance of information security. Such a person is chief custodian of the information security policy or policies. He/she heads information security governance, a cross functional team from all relevant functions and external resources like lawyers and IT experts and so on. He/she is expected to have an understanding of context/purpose of organization, needs and expectations of interested parties including regulations and customer/market. ?

In many organizations, Chief Information Security Officer is purely an expert of Information Technology. This is no problem but remember that Information Security is not just limited to Information Technology. Such a person needs to have the knowledge of the business and applicable information security laws of organization. Legality requirements can include  copyright and trade mark (publicly available information), privacy (personally identifiable information, GDPR, KYC and other such laws), data of financial customers or transaction data (banks and financial institution), data which influence children (film making business, advertising), national security (data localization laws), telecommunication (interception laws, need of disclosure of call records to authorities), Intellectual property rights (music and film and software product licensing) and business continuity (customer protection in critical services like bank, telecom etc) and so on.        

Provision and process of information technology (data classification, SW application development or acquisition, third party managed services, network security, application security and cloud security etc) secure the technological controls or IT risk treatment/control objectives, as one aspect of the information security policies. Human resource (employee background, competence and awareness etc) process sees another aspect of information security. Process of office administration sees another aspect of information security policy. Each of these processes have their particular risk treatment/control objectives for fulfilling Information security policy.

5. What are the requirements of Information Security Policy and Topic Specific Policies?

Information security (to prevent risk of any loss of integrity, confidentiality and availability of information) is one of the examples of a policy or commitment of the top management of the organization. Commitments of the top management are towards relevant external interested parties such as customers, public, employees and suppliers/ service providers and regulators and so on. ?

This is not easy to describe commitments to each and every group of said interested parties in one document. Even if it can be somehow done, interested parties after reading such a policy will get confused.

Here are some use cases of false Information security policy.

An Information security policy statement such as “we are committed to prevent risk of any loss of integrity, confidentiality and availability of information, and to comply with all applicable regulations in this regard and will ensure continual improvement”, no doubt fits all types of organization on the earth, but it is 100% useless. It doesn’t meet requirement of 5.2 of ISO 27001 :2022 which says, 'information security policy is appropriate to the purpose of organization'. Here, it is generic, and none can guess the purpose of the organization. 

Many organizations write some kinds of information security policy but unless it is published and acknowledged by whom it is meant for, the policy is useless. Even the management don't know their own policy. ?Requirement of A.5.1 Information security policy (see 5.2 Policy) and topic-specific policies is not fulfilled which says that the policy shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

An information security policy even though documented and approved by the top management is not still sufficient unless it is published, communicated to and acknowledged by relevant personnel and relevant interested parties. ISO auditor seeing it for purpose of audit and certification is not that interested party which this standard requires. ??        

Information security policy is a formal statement from top management which is appropriate to the business context.

  • Remember, a policy (5.2 of ISO 27001:2022) is incomplete without the scope or boundary (4.3 of ISO 27001:2022) within which policy is applicable. A Sultan of Saudi Arabia is a complete word in a sense that the Sultan is the policy and Saudi Arabia is the scope in which policy is applied. ABC Limited, a school situated at Dubai has a policy of information security. In this statement, an organization first introduced its business context together with its commitment or the policy.
  • The policy and scope, both, take into account business context of the organization (4.1 ISO 27001:2022) and needs and expectation of interested parties (4.2 ISO 27001:2022).

Business context is about the situation in which a business operates. Here are few typical examples.

- An OEM (e.g., Microsoft) of software products owns product IPR, source code of software but not the customer data. OEM remains owner of the products and customers only can buy rights to use under license agreement. OEM has an obligation to maintain support (updates etc.)? during its lifetime to all of its users.        
= Service Providers (consultants, resellers of OEM products, system integrators or developers of software applications against requirements of customers) have a different business context.? Even though they develop and support products for customers but, have no product right, no right of source code and no role in handling data.         
- Schools, banks or hospitals have a business context in which they acquire a software application from an OEM (like Microsoft) on a user license, customize it for their requirements and deploy it in local servers or in the cloud, to run their business and keep data in it at their responsibility.? Banks will onboard customers with KYC/Finacial laws or privacy policy and hold client data in their control.??         
- Telecommunication and internet service providers offer infrastructure of the connectivity to those in business of IT, communication and Software application. 
- Data center is also a kind of service where cooling, power, physical security, space for server space, environment, connectivity etc are available and clients can place their servers in it.         
Cloud providers (AWS, Azure) offer servers (in which customers can deploy their own software applications and keep the data) and manage its security. Cloud server is like a car parking in which customers can keep their data, deploy/control SW application at their own responsibility after due diligence of information security with it.         
SaaS providers (Microsoft O365, Facebook, Instagram, LinkedIn, Internet banking) offer plug and play services (of email, storage/drive, social media and online payments etc) on subscription basis. Data in SaaS is controlled by customers using the functionality of the application and terms of uses; but customers need to connect with servers of SaaS. Clients depend on SaaS providers to store data in its servers and for the availability of servers to clients.  SaaS is like a hotel, which is a plug and play, on subscription basis.          

Information security policy is a formal statement from top management which gives confidence to the external interested parties (public, customers, employees, regulators, investors etc) that the organization is committed to data protection within stated scope of the organization.

It forms a basis of

  • data classification or giving a name to a category of the data with their distinctive need of security.
  • committing this information security policy to specific set of interested parties in a more meaningful way,
  • keeping in mind when doing any business agreement
  • for a disclosure, claim, disclaimer of risks and responsibilities, in parties concerned.Topic specific policies provide clarity to each interested parties and for their data controlled by the organization. Topic specific policies are the subset of the information security policy used in acquisition, processing, storage, transfer and deletion of data.

Here are typical examples of the topic specific policies for specific data in context of Information Security.

a. Personally Identifiable Information

When an organization for a legitimate need collects Personally Identifiable Information (PII) of an individual, individuals have a right to know and control which information, how is it collected, how it is used and transferred and how long kept and used and so on. If there is a law in the country, this policy becomes critical and organizations that take responsibility of PII need to appoint data protection officer as custodian of the privacy policies.

Examples of those collecting personal data are too many. KYC is business requirement for opening account in banks, school admissions and admissions in hospitals and so in.? Social media, advertising and marketing firms, e-commerce companies and software as services like google etc also have personal data and therefore need to define suitable Privacy Policy and communicate and get acknowledgement from parties concerned. The obligation includes that organization must inform them in case of changes in it and changes is policy is accepted for continuity of engagement.

a.?????? Customers as persons whose PII is controlled by organization become the interested parties and seek privacy policy of an organization. This policy is managed normally by sales department at time of client on-boarding. Such a privacy policy is referred to or published and communicated in standard agreement, KYC or in some other way and acknowledged to by parties concerned. Google requires acceptance of terms and condition by customers when they subscribe its services. ?
Examples of Privacy Policy for web site visitors include https://uidai.gov.in/en/privacy-policy.html
b.?????? Website visitors as persons whose PII is controlled by organization become the interested parties of the website privacy policy. Typically, marketing departments who manage websites or social media advertising and collect Personally Identifiable Information. 
c.?????? Physical visitors whose PII is controlled by organization become the interested parties seek an appropriate privacy policy of the organization. Typically, security departments or receptionists collect personal data (picture, government provided identity, name, telephone etc) at the point of entry in premises. ?Visitors when giving out PII must accept and acknowledge the privacy policy. 
d.?????? Employees whose PII is controlled by organization become the interested parties seek privacy policy of the organization. This policy is managed normally by human resource department at time of employee on-boarding. Privacy policy is referred in agreement or some other way. Employees when giving out PII must accept and acknowledge the privacy policy. Employees are data owners and employers can use PII of employees as per the Human Resource Privacy Policy and applicable terms and conditions.          

b. Business Sensitive Data

This Policy addresses Data Security in Business Agreements that involve sharing of sensitive business information between parties concerned (customer, supplier, legal authorities etc). 

Usually, policy for information security with regard to business sensitive data are referred in master services agreements between organization and customers/suppliers'/ contractors and so on. As long as a standard master services agreement or an agreement with any other name is approved by the top management, it is a policy. Such a template can be used by organization in entering agreement with parties and gets acknowledged.  

This includes aspects of information security  such as ...
a.  the need to identify the data to protect, its ownership, risk identification and assessment, 
b. separation of responsibility of risk owners, acceptance/agreement on risk treatment plans and review of the risks by parties concerned and 
c. manner of reporting breaches/misuses/unavailability of the data and loss/damage of Information processing assets.  
d. the need to classify and label such data and IT assets, 
e. need of non-disclosure/confidentiality agreement for the classified data in parties of agreement,?
f. need of secure communication (single point of contact, plan and means of communication), 
g. need of consent of data subjects in sharing its data with trusted third parties or service providers and their acceptance of the conditions/control over such data sharing,
h. provision of data retention, and deletion or return upon de-boarding, etc.?
i. complying with regulatory requirement for data to be kept within a region 
j. sharing data with legal authority when required in a lawful manner.        

c. User and management responsibility (acceptable use of information processing facility)

Policy of acceptable use of information processing facility applies to users of IT resources (information system and technology). 
Users of IT resources to which acceptable use policy applies can have different roles. Users can be internal or external, and business users or technical/support users.  For example, customers of internet banking are external business users, a branch manager of a bank who onboards and deboards customers is an internal business user. 
 IT admin or staff providing technical support to these business users are technical/support users of banking application. OEM of software application (source code and data bases) used by an organization are external technical users.  

Each of these types of users of Information system need and seek from an organization an appropriate policy of acceptable use of Information processing facilities for them. 

Here are typical example of the types of users who become interested parties of an organization and need policy of acceptable use of IT resources and acknowledge it.  
a. Customers (merchant) of payment aggregator (like Gpay) or e-commerce are external business users of IT resources of organization, and such customers accept and acknowledge the policy to be able to access the SW application residing in the server using own devices and network. 
b. Employees or staff or service providers who become users of IT resources in different roles get devices and access rights of network and application  

Typically, an organization, communicates the policy on acceptable use of IT resources, at the time of on-boarding and issuance of IT asset or access rights (of network or devices or SW application) to the users (be it external like customers or internal like employees). An organization normally sends out an email from IT department with title WECOME TO <NAME OF ORGANIZATION> to the users and seeks acknowledgement of the email. 
This email contains hyper-link that refers to the policy of acceptable use of IT resources. Copy paste of the information of the policy in every email body is not a good idea as redoing it can cause delay or error when it is changed.  Hyperlink works better because when a policy is changed/updated, as users can use the same link to see updated information. This policy covers 
a. access to the devices, network and application and access to source code/server including information on the privileges and login and password etc
b. use of multiple authentications if applicable
c. how to use helpdesk or seek support when needed repair and maintenance and SW updates/installation 
d. do's and don'ts (care of equipment and access rights, risk of alien network, clear screen and clean desk etc)
e. how to report data breaches or suspected data breaches
f. situations and entitlement of people to work from home or off the premises and its procedure  
g. any other        

d. Customer data or any business sensitive data held in control of organization but kept in third party facilities and responsibility

A policy to protect data in third party facilities is use of third-party applications such as email cloud, conference tools and hosting of application in cloud or use of human resources software as services for keeping employee data.   

Customers or data subjects seek a policy of the organization that gives a disclosure on where their data is stored and principles of the decision making. 

Policy of organization on its use of third-party resources gives a clarity to interested parties of the business. This policy explains on criteria in choosing third party service provider to store or process data of customers or any business sensitive data. 

There has to be a clarity on the subject as to who is the decision maker in use of third-party facility, infrastructure and service providers.  Google, for example, doesn't ask customers of their consent on its use of the third party because it is the policy of Google to take such decision on use of third-party resources, all by itself. 

Business continuity is a key aspect in evaluation of third-party facility.  For example, keeping distance of hot site and DR site is useful as it gives comfort in earthquake or floods. If one site becomes inoperative, business can continue from another site. 
Data localization laws can have restriction on moving certain data in certain countries. 
Financial stability of service providers, country specific legality such as SOC compliances, tests of professionalism  (ISO 27001, Uptime Institute rating of tiers of data centers, etc) and other certification can be criteria of evaluation of third-party facilities which are used by organization for keeping data of others in its custody.          

e. Intellectual Property

Policy to protect Intellectual Property (IPR) rights explain position of an organization with regard to buying or selling/subscription or use of the rights of product design, source code of software application and copyrights. 
This policy can also cover use of logo/trademark and digital signature etc.? 
Organization is committed to not allow any unauthorized software or any intellectual property in its work. It is committed on behalf of itself and any partners working on its behalf to never violate IPR agreements, copyrights or terms of licenses in use, transfer, or decommissioning.?Organization has relevant processes and procedures in this regard.         

f. Publicly Available Information

Policy to Protect Publicly Available Information (including Information on the social media) explains position of an organization that information in public (such as web site, annual report, advertisement, social media etc.) is up to date and free from error or misrepresentation. Organizations that don't have this kind of policy can live with a risk of their websites showing contact persons and telephones which don't work. Work timings have changed but this information is not updated. Prices and information of products in e-commerce sites are incorrect. There is misrepresentation found in publicly available information and so on. Fake/unauthorized websites misuse name and logo, unnoticed by the original organization.  Governments, schools, banks, railways and hospitals, e-commerce websites and companies of reputed brands especially need to be careful about this policy. 

Provision in relevant processes ensures that such content before placing it in public view is reviewed and approved by a designated authority/ corporate communication department.  Information already available in public view is reviewed for validity at regular intervals and it gets updated.  

Organization under this policy can remain careful to protect public image and its brand by keeping a watch over news items or other materials in public domain which are incorrect, malicious or unauthorized and it can take a decision to react to these things in a lawful and timely manner. 

Organization can also make disclaimers in certain situation.??????

Suggested reading:   https://uidai.gov.in/en/website-policy.html and attached file                     as an example and take inspiration from it.         

g. Data Breach Notification

Data Breach Notification Policy explains position of an organization for employees, sub-contractors and customers and public and any others in the control of organization need to report any loss or suspected loss of company data or violation of the confidentiality or integrity of classified data or its data network in timely and a defined manner. 

Custodian of this policy is the Information Security department who builds and operates a procedure of Information Security Incident Management. This policy is reviewed at a regular period and the top management is apprised of the performance against this policy of information security. 

a. Where it is a legal requirement (like financial institutions or banks), significant data breaches need to be reported to government authorities. Organizations are heavily penalized if breaches in this regard happen, but it is not reported to designated government authority and public data is gone in wrong hands. 

b. In case of a fraud or any criminal activity, this policy gives a clear direction as to how to go about its detection and reporting mechanism to the police or criminal investigation or cyber security department and tracking the results and keeping records.         


ISO 27001:2022



?Regards

Krishna Gopal Misra

[email protected]

??

要查看或添加评论,请登录

Krishna Gopal Misra的更多文章

社区洞察

其他会员也浏览了