Information Security Policy
Last Updated: 20.10.2017
1. Scope and Objectives
The efficient use of information must be an inseparable part of an organization’s everyday principles and practices, and it is a vital component of its success. Corporate information security policies, as a critical and fundamental structure of an organization, encompass databases, computer environments, documents, files and other technological and / or application tools that form the business or corporate structure of the company.
Restricted and employee-only information must be treated internally with absolute confidentiality, and must receive full protection from the management layer of the organization. A global strategic security plan should be implemented internally within Tonic App.
In most technological organizations, information security is regarded as a challenge to be addressed merely through technology, when the correct view should be the protection of information that involves the full scope of the business, characterizing vulnerabilities and assessing potential threats (which vary from organization to organization). Based on these two factors, an assessment of the risk to which the entity is exposed is formed. In the same way, and due to the identified risks, the investments to be carried out should be dimensioned, with the objective of reducing it, by defining:
- Security policy / procedures: aligned with the business and the processes that sustain it;
- Technology: means and technical models that support the safety procedures.
Once security requirements have been identified, controls should be selected and implemented to ensure that risks are mitigated to a level considered acceptable to Tonic App’s business. The controls can be selected from existing standards, or from another set of controls that are developed to meet the specific needs under analysis. Controls should be selected based on, the degree of identified risks, and the impact of the information loss. In this sense, it is the responsibility of management to define clear objectives in the implementation of security principles, and demonstrate not only support, but total commitment and dedication to the implementation and maintenance of an information security policy throughout the organization.
The information security policy is intended for all Tonic App employees, regardless of their relationship (employees, suppliers, consultants, volunteers, among others). It is the responsibility of all to ensure a high level of security in order to support and protect the interests of Tonic App and its customers and allow the proper functioning of all sectors of activity, thus ensuring the performance of services and business in a safe and effective way.
The employees who deliberately violate this or other policies should be subject to disciplinary or other penalties as defined by law.
3. Information Security Policy
Information security is defined as the maintenance of:
Confidentiality: ensure that information is only made available to those who have the appropriate authorization.
Integrity: ensure the consistency and veracity of the information and its processing.
Availability: ensure that information is available to users with proper authorization, whenever this access is required.
Auditability: corporate and / or business data and information must be recorded, compiled, analyzed, and disclosed in order to allow internal auditors or external assurance providers to attest its truthfulness.
Traceability: ensure the ability to recover the history of the actions carried out, through a register that must be kept up to date and available at any time.
Information is as important as any other asset in the organization, so it has to be protected in the most appropriate way. Information security protects information against a multitude of threats, ensuring business continuity, minimizing negative business effects, maximizing return on investment, and improving service quality.
Information security is achieved through the implementation of a set of controls that can be: policies, standards, procedures, organizational structures and software functions.
- Level 2 – Information Security Standards
- Level 3 – Controls, Processes, Non-Technological Procedures
- Level 4 – Technological Controls and Operational Instructions
Controls are required for all information security, which is based on the international standard ISO / IEC 27002 and consists of the following areas:
- Information Security Policy
- Organization of Information Security
- Human Resource Management
- Asset Management
- Access Control
- Physical and Environmental Safety
- Operations Management
- Communication Management
- Acquisition, Development and Maintenance of Systems
- Contracts with Suppliers
- Security Incident Management
- Business Continuity Plan
- Legal Compliance
These controls need to be established to ensure that the specific security goals of the organization are met.
A. Need for Security Policy Implementation
Information and its supporting processes, systems, and networks are essential assets to an organization’s business. Confidentiality, integrity and availability of information are essential elements to preserve the competitiveness, turnover, profitability and image of an organization in the market.
Currently, the security of an organizations’ information systems is increasingly being tested by a variety of different threats, including espionage, information leakage, sabotage, vandalism, hacking, and denial of service attacks, which have become gradually more and more sophisticated and ambitious. The dependence on information systems and services suggests that organizations are increasingly more vulnerable to security threats. The simultaneous use of public and private networks and the sharing of information resources are factors that contribute to the increase of the difficulty in controlling the accesses, and their respective security.
B. Risk Assessment
The information security requirements are identified through a thorough assessment of information security risks. Conducting a risk analysis helps to determine the exposure to risk and, consequently, prioritizes the most relevant risks, allowing the identification of appropriate mitigation actions and controls.
C. Information Security Controls
Following the risk assessment and as soon as the mitigating measures have been identified, appropriate controls should be selected and implemented to ensure that the risk is reduced to an acceptable level. The information security controls can be selected from a standard or other sets of controls, and new controls can be added to meet specific needs.
The selection of controls depends on internal decisions that are based on risk acceptance criteria, risk treatment and risk management in general. These criteria result from the risk analysis carried out and shall take into account the applicable national and international regulations and legislation.
The information security mechanisms implemented should be subject to periodic reviews to ensure the expected levels of security, with a specific focus on safeguarding business continuity and critical processes.
D. Security Policy Review
The organization’s security policy should be reviewed annually or whenever there are significant changes.
This document was created based on the best practices and standards of the market, namely:
- ISO / IEC 27001 standard clauses 5.2 and 6.2;
- ISO / IEC 27002, A.5.1.