Information Security Management System (ISMS) Notes

Information Security Management System (ISMS)

Introduction

  • In today's digital age, data is a valuable asset for organizations.
  • Protecting data from unauthorized access, theft, or loss is crucial.
  • An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information to keep it secure.
  • ISMS includes policies, processes, procedures, and technology to manage risks and ensure confidentiality, integrity, and the availability of information.
  • Implementing an ISMS is critical due to increasing cyberattacks.
  • ISMS overview includes HR, IT, admin, and infosec management policies.

Defining Information

  • Information: Facts provided or learned about something or someone.
  • Data processed, stored, or transmitted by a computer.

What is ISMS?

  • ISMS: A set of policies and procedures for systematically managing an organization's sensitive data.
  • Goal: Minimize risk and ensure business continuity by limiting the impact of security breaches.
  • ISMS protects: Intellectual properties of the organization and its customers.

ISO Standards

  • Audits and certifications are done by the International Organization for Standardization (ISO).
  • ISO is an independent, non-governmental organization.
  • The acronym "ISO" is derived from the Greek word "isos," meaning equal.
  • ISMS minimizes and avoids business threats, revisits risks, and updates policies.
  • Focuses on eliminating threats and preventing potential risks.

Key Aspects of Information Security

  • ISMS protect three key aspects of information:
    • Confidentiality: Information is accessible only to authorized individuals.
    • Availability: Information is accessible and usable when authorized users need it.
    • Integrity: Information is complete, accurate, and protected from corruption.
  • ISMS protects:
    • Employees
    • Client processes and data
    • Physical assets and infrastructure

Documentation

  • Documentation is mandatory.
  • Auditors check existing processes and their implementation.
  • Documentation (e.g., emails, documents) is the primary basis for determining process effectiveness.

Positive Business Impacts of ISMS

  • Ensures products and services satisfy customer requirements while safeguarding customer and organizational data.
  • Harmonizes policies and practices across departments.
  • Focuses on information security from the root level by implementing mitigation controls in each process.
  • Includes reactive plans to threats, preemptive measures, and backup plans.
  • ISO certification increases the market value of the business.
  • Addresses client concerns:
    • Data security.
    • Trust in smooth business operations.
    • Backup plans for disaster recovery.
  • Departments are responsible for laying out policies, assessing potential risks, and creating mitigation controls for business continuity.

Flat World Philippines: ISMS Implementation

  • Your Role: Everyone plays a crucial role in protecting the confidentiality, integrity, and availability of information.
  • Departments Involved: IT, HR, Admin, Operations, Facilities, Finance, ISMG, and CISO.

InfoSec Policies

  • Definition: A set of rules and guidelines outlining the organization's approach to protecting data and information assets.
  • Includes: Roles and responsibilities, data classification, access control, incident response, and disaster recovery procedures.

HR Policies

  • Employees are screened before onboarding.
  • Confidentiality agreement is signed.
  • Employment contract is read and agreed to.
  • InfoSec policies are read, understood, and accepted upon joining.
  • Existing employees undergo annual InfoSec training.
  • Regulations regarding assigned assets are acknowledged and accepted.
  • All assigned assets are returned upon resignation.

IT Policies

  • User access controls.
  • Network access controls.
  • Operating system access controls.
  • Email policy.
  • Clear desk or clear disk.
  • Password policy.
  • Permissible and non-permissible assets.
  • Antivirus policy.
Detailed IT Policies
  • User Access Controls:
    • Access restricted to job-related tools and data.
    • Previous campaign access revoked upon transfer.
  • Network Access Controls:
    • No unauthorized asset connections.
    • Folder sniffing is prohibited.
    • Be aware of shoulder surfing.
  • Operating System Access Controls:
    • Unique user ID and password.
    • No sharing of user details.
    • Do not leave computers unattended and unlocked.
    • System idle timeout.
  • Email Policy:
    • No libelous, defamatory, offensive, racist, or obscene remarks.
    • No unlawful forwarding of confidential information.
    • No unlawful copying of messages without permission.
    • No attachments containing viruses.
    • Do not use BCC for official emails. (Blind Carbon Copy)
    • Use approved email signature.
    • No all caps or offensive font colors.
    • Password protect confidential files.
    • No Ponzi schemes or third-party sales content.
    • No personal use of office emails.
    • Use shared drive for large attachments.
  • Clear Desk/Clear Disk Policy:
    • No confidential information saved on local drives.
    • Use authorized screensavers and desktop displays only.
    • Routine IT checks for compliance.
    • System auto-lock after five minutes of idle time.
    • User access to change settings is disabled.
  • Password Policy:
    • Email password expiration: every 60 days.
    • NT login expiration: every 45 days.
    • Do not reuse the last five passwords.
    • Passwords must follow approved standards.
    • Three incorrect attempts will lock accounts.
  • Assets:
    • Non-Permissible: Personal laptops, pen drives, personal phones (based on roles), cameras, handy cams, external hard disks, any kind of storage media, personal networking devices.
    • Permissible: Company-issued laptops, customer-issued laptops, company-issued smartphones, customer-issued smartphones, company mobile phones, other communication devices.
      • Personal mobile phones: restricted based on roles.
      • Company-issued external hard disks and/or any kind of storage media.
  • Antivirus Policy:
    • Ensures Flat World systems and networks are safe from malicious content and computer viruses.
    • System administrators ensure currency of antivirus controls and gateway controls.
    • Users handle external content sensibly, report virus alerts, and comply with the policy.
    • If infection is suspected:
      • Disconnect from the Internet.
      • Close files and programs.
      • Shut down the system.
      • Contact the IT help desk and raise an incident report with documented symptoms.

Admin Policies

  • Wear company IDs inside the premises.
  • New hires wear temporary IDs until receiving company IDs.
  • Register fingerprint at biometric devices upon entry and exit.
  • No tailgating.
  • Do not lend IDs or use someone else's ID.
  • Report lost IDs to admin and facilities ASAP.
  • Do not access unauthorized areas.
  • Return all keys or company equipment before exit clearance.
  • Facilities are monitored by CCTV.
  • Frisking and bag checks at the security post.
  • Visitors require an ID from the security post.
  • Log visitor information in the visitors' register.
  • Surrender electronic devices without authorization.
  • Escort visitors inside the production floor.
  • Visitors should not connect to networks, carry printed matter, or use any device or equipment without authorization.
  • Material movement policy for employees with media devices with approval.

Work Environment Policies

  • Maintain a neat working environment.
  • Avoid cluttering the work area with sensitive information.
  • Place sensitive working papers in locked drawers.
  • Treat customer and company information with high security and confidentiality.
  • Tidy desks at the end of the day.
  • Periodically identify sensitive documents for shredding by the admin department.

Vendor Management

  • Vendor management ensures vendors are evaluated and follow a structured approach.
  • Includes vendor evaluation, selection, and performance evaluation.
  • Vendors with more than three successful transactions can be added to the preferred vendor list.
  • Vendor management policy includes:
    • Requisition.
    • Gathering of proposals.
    • Vendor selection and negotiation.
    • Prepare purchase order.
    • Delivery of products and services.
    • Vendor payment.
    • Vendor performance evaluation.

Information Security Management Policies

  • Do not store or use customer-provided information for non-business reasons.
  • Do not use the Flat World email to engage in procuring or transmitting material that violates sexual harassment or hostile workplace policies.
  • Do not browse unauthorized, non-business-related websites via Citrix or any proxy servers.
  • Avoid sending unsolicited emails, including junk mail or advertising material.
  • Avoid posting offensive comments in online public portals, blogs, or newsgroups that will affect the company's reputation.
  • No personal belongings should be brought inside the production floor.
  • Data should be obtained for specific and lawful purposes only.
  • Data should be processed fairly and lawfully for its intended purpose.
  • Data should be adequate, relevant, and not excessive.
  • Data should be accurate and up to date.
  • Data should be kept only as long as necessary.
  • Data should be processed according to the rights of data subjects.
  • Data should be securely maintained to avoid loss or destruction.
  • Data should not be shared or transferred to places with inadequate protection.
  • Confidential documents shared via any method should always be password protected.
  • Maintain a comprehensive and up-to-date database of information assets to define value, criticality, sensitivity, and legal implications.
  • Clearly label all information, data, and documents so users know ownership, classification, and value.

Data Classification

  • All information, data, and documents must be processed, stored, and destroyed according to classification levels.
    • Restricted: Highly sensitive corporate and customer data that could have major legal or regulatory consequences if compromised. Includes proprietary and sensitive information with a high risk requiring strict compliance and control.
    • Confidential: Personal communication related to the business that is unknown to the public and only shared within the organization. Restricted to employees or departments on a need-to-know basis.
    • Internal: Information that can be used and shared within the company. Disclosure may cause loss of competitive advantage and embarrassment. Not as critical but worth protecting to maintain integrity and privacy. Includes company calendar, organizational directory, company activities, news, announcements, and internal job postings. Access is allowed without strict management approval.
    • Public: Information declared public by the information owner, freely given to anyone without damage to Flat World Solutions Philippines. Includes marketing brochures, corporate website, press releases, and external job postings. Information intended for public release but not yet approved is often confidential or restricted.

Document and Asset Disposal

  • Examine all documents and assets before disposal.
  • Managers ensure information is no longer needed.
  • Log all disposed of information or assets.
  • Shred documents.
  • Reformat IT assets before disposal.

Incident Management

  • Incident: Any unusual activity that could disrupt business or risk information security.
  • Incident management defines the process of reporting and managing incidents related to information security risk.
  • Employees who witness an incident should report it to their supervisor.
  • Report directly to the concerned department if the supervisor is absent.

Internal Audits

  • Conducted by the ISMG team at regular intervals to ensure compliance with standards, guidelines, and procedures.
  • Applicable to all employees, contractors, and third-party services.
  • Covers all activities and functional areas at FlatWorld.