Information Security Policy
This information security policy specifies management?s intent to protect all important information assets within IT Desk from all threats, whether internal, external, deliberate, or accidental. Information within IT Desk exists in many forms and this policy applies to and includes the protection of data stored electronically, transmitted across networks, and printed or written on paper. The prime purpose of this Information Security Policy is to protect and safeguard IT Desk?s customer information. The needs and expectations of all interested parties have been considered in the development of this security policy.
Information Security Threat Environment
IT Desk identifies the most significant cyber threats as.
Cybercrime: Cybercriminals use various techniques such as phishing, malware, social engineering, and ransomware to target individuals and organizations. They are motivated by financial gain and may steal sensitive data, demand ransom payments, or disrupt operations. Users with C-level positions are at an increased risk from attacks such as spear phishing.
State-sponsored attacks: State-sponsored attacks are a growing threat, with nation-states using cyber espionage and cyberattacks to achieve political and military objectives. These attacks can target critical infrastructure, government networks, and private companies with government contracts.
Insider threats: Insiders such as employees, contractors, or partners who have access to sensitive information can pose a significant threat to organizations. They may intentionally or unintentionally misuse or disclose confidential data, steal intellectual property, or sabotage systems.
Looking ahead, the security threat environment is expected to continue to evolve as technology advances and new threats emerge. Some projected threats include:
Artificial intelligence (AI) and machine learning (ML) attacks: Attackers may use AI and ML to develop sophisticated attacks that can evade traditional security measures.
Internet of Things (IoT) attacks: As more devices are connected to the internet, there is an increased risk of IoT attacks that can compromise critical infrastructure, personal privacy, and safety.
The objective of information security is to ensure business continuity and minimise damage by preventing and reducing the impact of security incidents and to commit to continual improvement. The implementation of this policy is mandatory to maintain and demonstrate the firm?s integrity in dealings with all our customers, clients, and trading partners.
It is the policy of IT Desk to ensure:
Standards, policies, and security operating procedures will be produced to support this policy and will include virus control, access control, personnel security, the use of email and the Internet. A formal disciplinary process is documented and implemented when necessary to address issues arising with employees who choose not to comply with these standards, policies and procedures.
The effectiveness of controls will be measured wherever it is practicable to do so, the results analysed, and improvements will be implemented where identified, as necessary.
Where it is impractical to measure controls, they will be monitored for effectiveness. When identified continual improvement of the ISMS will be actioned/implemented as appropriate.
The ISMS Manager has overall responsibility for maintaining this Policy and providing guidance on its implementation. All employees are personally responsible for implementing the policies and procedures within their business areas. It is the responsibility of each employee to adhere to the policies and procedures in their areas.
This policy will be reviewed regularly to ensure it remains appropriate for the business and the IT Desk?s ability to achieve the companies? security objectives and serve its customers.
Deviations and Exceptions
Here is a process for managing deviations and exceptions in the
Information Security Policy:
Any deviation or exception from the Information Security Policy should be identified and documented within a CAR and placed in the CAR register. This includes the reason for the deviation or exception, the impact it will have, and any corrective measures that will be taken.
The deviation or exception should be reviewed and monitored to ensure that it does not recur and that the corrective actions taken are effective. This should be done on a regular basis to ensure ongoing compliance with ISO 27001 standards.
Any significant deviations or exceptions should be reported to a line manager or ISMS manager and escalated as necessary to ensure that appropriate actions are taken.
Authorised by: Chris Wright, Managing DirectorDate: 24/02/2023