The purpose of the Information Security Management System (ISMS) in XXX is to ensure the continuity and protection of the business processes and information assets that are considered within the ISMS scope (stated in the ISMS scope document). The information security needs and objectives are stated in this document to minimize the impact of security incidents on the operations of XXX.
The primary audiences for Corporate Information Security Policy are Senior Management, System and Information Owners, Business and Functional Managers, Chief Information Security Officer (CISO), and IT Security Practitioners of the organization.
4.1 Availability – Property of being accessible and usable upon demand by an authorized entity.
4.2 Asset – Anything that has value to the organization.
4.3 Confidentiality – Property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
4.4 Integrity – Property of accuracy and completeness.
4.5 ISMS – Information Security Management System is the part of the overall management system and required to establish, implement, maintain and continually improve the information security of the organization.
4. Corporate ISMS Policy
The Information Security Management System of XXX intends to ensure:
4.1 Integrity of all business processes, information assets, and supporting IT assets and processes, through protection from unauthorized modification, guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. The unauthorized modification or destruction of information could have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals;
4.2 Availability of all business processes, information assets, and supporting IT assets and processes to authorized users when needed, ensuring timely and reliable access to and use of information. The disruption of access to, or use of, information or an information system could have a serious adverse effect on organizational operations, organizational assets, or individuals;
4.3 Confidentiality of all information assets (information is not disclosed to unauthorized persons through deliberate or careless action). Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. The unauthorized disclosure of information could have a limited adverse effect on organizational operations, organizational assets, or individuals;
4.4 All IT-enabled processes and stakeholders shall follow the rules and regulations or circulars published in the organization;
4.5 All audit trails and logs, as decided by the Management Information Security Forum (MISF), shall be maintained and monitored by XXX;
4.6 All operational and system changes shall be monitored closely; these shall adhere to the change management process;
4.7 XXX complies with the laws, regulations, and contractual obligations which are applicable to the organization in general and in particular to its ISMS;
4.8 All applicable information security requirements are satisfied;
4.9 Continual improvement of the information security management system.
This policy applies to all Manager and staff of XXX, contractors, and third-party employees under contract, who have any access to, or involvement with, the business processes, information assets, and supporting IT assets and processes covered under the scope of ISMS.
XXX shall ensure that all activities required to implement, maintain and review this policy are performed. All personnel, regarded as included in the ISMS scope, must comply with this policy statement and its related security responsibilities defined in the information security policies and procedures that support the corporate information security policy. All personnel, even if not included in the ISMS scope, have a responsibility for reporting security incidents and identified weaknesses, and to contribute to the protection of business processes, information assets, and resources of XXX.
XXX holds the right to monitor the compliance of its personnel to this policy. Manager and staff of XXX, contractors, and third-party employees, who fail to comply with this policy, may be subjected to appropriate disciplinary actions.
8. Ownership and Revision
This policy statement is owned by the Board of Directors of XXX who has delegated this task to the Chief Information Security Officer (CISO). This policy shall be revised once in two years by the CISO and every time that the Board of Directors of FCI, or the MISF, decides to do so. MISF of XXX shall consist of the following members (as approved by CEO):
Executive Director (IT), Executive Director (Personnel), Executive Director (Finance), Executive Director (P&R), and Executive Director (Legal).
If you need assistance or have any doubt and need to ask any questions contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.