Purpose, Scope and Users
The aim of this top-level Policy is to define the purpose, direction, principles and basic rules for information security management. Users of this document are all employees of 3DEO and related entities, as well as relevant external parties.
Basic Information Security Terminology
Confidentiality – characteristic of the information by which it is available only to authorised persons or systems.
Integrity – characteristic of the information by which it is changed only by authorised persons or systems in an allowed way.
Availability – characteristic of the information by which it can be accessed by authorised persons when it is needed.
Information Security – preservation of confidentiality, integrity and availability of information.
Information Security Management System – part of overall management processes that takes care of planning, implementing, maintaining, reviewing, and improving the information security.
Managing the Information Security
Objectives and Measurement
3DEO objectives for the Information Security Management System are as follows:
Objective 1: No major security incidents
Measurement Method: Measurement through auditing and management review
Measured: Quarterly
Target Date: Quarterly
Responsible: Information Security Officer
Resources: System Admin
Action required: Incidents recorded. Quarterly report run on major security incidents.
Achieved: IMS meeting minutes
Objective 2: No major outages caused by application bugs
Measurement Method: Measurement through auditing and management review
Measured: Quarterly
Target Date: Quarterly
Responsible: Information Security Officer
Resources: System Admin
Action required: Post mortem completed for all production issues and recorded in Notion. Quarterly report run on major outages.
Achieved: IMS meeting minutes
Objective 3: All staff have completed ISO27001 awareness
Measurement Method: Training records to be verified
Measured: Annually
Target Date: Annually
Responsible: Information Security Officer
Resources: External consultants, 3DEO Staff
Action required: Train staff
Achieved: IMS meeting minutes
The Information Security Officer is responsible for reviewing these general ISMS objectives and setting new ones.
Objectives for individual security controls or groups are proposed by the Information Security Officer, and approved by the Information Security Focus Group in the Statement of Applicability.
All the objectives must be reviewed at least once a year.
3DEO will measure the fulfilment of all the objectives. The Information Security Officer is responsible for setting the method for measuring the achievement of the objectives – the measurement will be performed at least once a year and the Information Security Officer will analyse and evaluate the measurement results and report them to Senior Management as part of the weekly and monthly status report updates and as input material for the Management review.
Information Security Requirements
This Policy and the entire ISMS must be compliant with legal and regulatory requirements relevant to the organisation in the field of information security, as well as with contractual obligations.
A detailed list of all contractual and legal requirements is provided in the List of Legal, Contractual and Regulatory Requirements.
Information Security Controls
The process of selecting the controls (Safeguards) is defined in Risk Assessment and Risk Treatment Methodology.
The selected controls and their implementation status are listed in the Statement of Applicability.
Responsibilities
Responsibilities for the ISMS are the following:
– The Information Security Officer is responsible for ensuring that the ISMS is implemented and maintained according to this Policy, and for ensuring all necessary resources are available.
– The Information Security Officer is responsible for operational coordination of the ISMS as well as for reporting about the performance of the ISMS.
– The Information Security Officer must review the ISMS at least once a year or each time a significant change occurs, and prepare minutes from that meeting. The purpose of the management review is to establish the suitability, adequacy and effectiveness of the ISMS.
– The Information Security Officer will implement information security training and awareness programs for employees.
– The protection of integrity, availability, and confidentiality of assets is the responsibility of the owner of each asset.
– All security incidents or weaknesses must be reported to the Information Security Officer.
– The Information Security Officer will define which information related to information security will be communicated to which interested party (both internal and external), by who and when.
– The Information Security Officer is responsible for adopting and implementing the Information Security Awareness plan which applies to all persons who have a role in information security management.
– The Information Security Officer is responsible for communicating with external authorities.
– The Information Security Officer, Head of Engineering and Head of Delivery are responsible for communicating with special interest groups and professional associations.
Policy communication
The Information Security Officer has to ensure that all employees of 3DEO, as well as appropriate external parties are familiar with this Policy.
Incident Management Procedure
All Information Security Incidents must be reported at the earliest opportunity. Any incident should be logged. If necessary the senior management team will decide to take immediate action or review with the wider management team in the next management meeting.
Note that in assessing any incident, consideration must be given to the need to notify relevant authorities, in particular the Information Commissioners Office (ICO).
Incidents, weaknesses and events must be reported as soon as possible, by telephone, Slack, in person during office hours. Critical or Major incidents discovered out of hours should be reported immediately by telephone to the ISO or CTO. The severity corresponding to the incident classification is outlined below:
– Critical
– Major
– Minor
The person who received the information must classify it in the following way:
– Minor
– no incident occurred, but the event related to a system, process or organisation may trigger the occurrence of an incident in the near or future; or
– an incident which cannot significantly impact confidentiality or integrity of information, and cannot cause long-term unavailability
– Major
– an incident which can incur significant damage due to loss of confidentiality or integrity of information, or may cause an interruption Information in the availability of information and/ or processes for an unacceptable period of time.
– Critical
– a major incident affecting multiple 3DEO customers.
Treatment Process for Security Weaknesses or Events
The person who received the information about a security weakness or event
analyses the information, establishes the cause and, if necessary, suggests
preventive and corrective action.
Treating Minor Incidents
If a minor incident was reported, the person who received the information must
take the following steps:
1. Take measures to contain the incident
2. Analyse the cause of the incident
3. Take corrective actions to eliminate the cause of the incident
4. Inform persons who were involved in the incident, as well as the Information Security Officer, about the incident treatment process.
The person who received information about a minor incident must log the incident in Notion.
Treating Critical / Major Incidents
In the case of major incidents that could disrupt activities for an unacceptable period of time, an Incident Response Plan as part of the Business Continuity Plan
is invoked.
Learning from Incidents
Information Security Officer along with a member of the IT Team, must review all minor incidents every three months, and enter recurring ones or those which may turn into major incidents on the next occasion, in the NC Log.
Information Security Officer must analyse each incident recorded in the NC Log (identifying type, relatedness and cost of incident) and, if necessary, suggest preventive or corrective action.
Support for ISMS implementation
Sean Murphy as COO declares that ISMS implementation and continual improvement will be supported with adequate resources in order to achieve all objectives set in this Policy, as well as satisfy all identified requirements.
The owner of this document is the Information Security Officer, who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
– Number of employees and external parties who have a role in the ISMS, but are not familiar with this document.
– Non-compliance of the ISMS with the laws and regulations, contractual obligations, and other internal documents of the organisation.
– Ineffectiveness of ISMS implementation and maintenance.
– Unclear responsibilities for ISMS implementation.
Improvement
The organisation is committed to the concept of continual improvement through use of the stated policies, objectives and targets, audit results, analysis of data, corrective and preventive actions and management reviews.
The organisation has established and maintains documented procedures to ensure that nonconformity is identified, and corrective actions are introduced to eliminate and reduce nonconformities and improve the effectiveness and suitability of the ISMS.
Applicable Requirements
Senior management make a commitment to satisfy applicable requirements related to information security.