5. Information Security Policy
Information Security Policy
Control objective: The organization provides management direction and support for information security in accordance with business requirements and relevant laws and regulations of the Kingdom of Bahrain.
The management team and the board of directors have approved and authorized an information security policy for the Organisation. This policy is set out below and is authorized for separate distribution under the President of CIO’s signature, with the reference DOC 5.1. A current version of this document is available to all staff and contractors, and to external parties [when signing supply contracts]. The development of the information security policy is carried out under the PDCA process described in Section 3 of the Information Security Manual.
INFORMATION SECURITY POLICY
The Board and management of The Central Informatics Organization [CIO], located at National Smart Card Centre [NSCC], Building 1088, Road 4025, Block 842, Isa Town and Government Data Network Centre, 1091, Road 4225, Juffair 342, and both locations are in the Kingdom of Bahrain and provide for the operation of the National ID card, identity verification and validation of the citizens and residents of the Kingdom of Bahrain is in the business of providing Digital Certificates and related Public Key Infrastructure [PKI] services, are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout the CIO CA and RA areas in order to preserve the integrity, reputation and security of the citizens, residents and Government Departments and Agents it serves. Information and information security requirements will continue to be aligned with the CIO goals and the ISMS is intended to be an enabling mechanism for information sharing, for electronic operations and for reducing information-related risks to acceptable levels.
The CIO’s current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS. The risk assessment, Statement of Applicability and risk treatment plan identify how information-related risks are controlled. The Information Security Manager is responsible for the management and maintenance of the risk treatment plan. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.
In particular, business continuity and contingency plans, data back up procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy. Control objectives for each of these areas are contained in the Manual and are supported by specific, documented policies and procedures.
All employees of the CIO [and certain external parties identified in the ISMS] are expected to comply with this policy and with the ISMS that implements this policy. All staff, and certain external parties, will receive appropriate training, initially by the Digi-CAST3™ Team and ultimately by the Information Security Manager.
The CIO has established Trust Centre top-level management steering committee chaired by the Director General of IT and including the President of the CIO and the Chief Security Officer to support the ISMS framework and to periodically review the security policy.
The CIO is committed to achieving certification of its ISMS to ISO27001:2005
This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and at least annually.
In this policy, “information security” is defined as:
preserving
This means that management, all full time or part time staff, sub contractors, project consultants and any external parties have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches (in line with the policy and procedures identified in Section 13 of the Manual) and to act in accordance with the requirements of the ISMS. The consequences of security policy violations are described in the [organization’s] disciplinary policy. All staff will receive information security awareness training and more specialized staff will receive appropriately specialized information security training
the availability.
This means that information and associated assets should be accessible to authorized users when required and therefore physically secure. The computer network identified as part of the scoping work for Section 1 of the Manual is resilient and the organization is able to detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems and information. There are appropriate business continuity plans to meet the requirements of the CIO Trust Centre as approved by the Director General of IT.
Confidentiality
This involves ensuring that information is only accessible to those authorized to access it and therefore to preventing both deliberate and accidental unauthorized access to the CIO Trust Centre’s information and proprietary knowledge and its systems including its network(s), website(s), extranet(s), and e-commerce systems.
And integrity
This involves safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of either physical assets or electronic data. There must be appropriate contingency [including for network(s), e-commerce system(s), web site(s), extranet(s)] and data back-up plans, and security incident reporting. The CIO Trust Centre will comply with all relevant data-related legislation in the Kingdom of Bahrain within which it operates.
Of the physical (assets)
The physical assets of the CIO Trust Centre including but not limited to computer hardware, data cabling, telephone systems, filing systems and physical data files and information assets
The information assets include information printed or written on paper, transmitted by post or shown in films, or spoken in conversation, as well as information stored electronically on servers, web site(s), extranet(s), intranet(s), PCs, laptops, mobile phones and PDAs as well as on CD ROMs, floppy disks, USB sticks, back up tapes and any other digital or magnetic media, and information transmitted electronically by any means. In this context “data” also includes the sets of instructions that tell the system(s) how to manipulate information (i.e. the software: operating systems, applications, utilities, etc)
of the CIO.
The CIO Trust Centre and such partners that are part of our integrated network and have signed up to our security policy and have accepted our ISMS.
The ISMS is the Information Security Management System, of which this policy, the information security manual (“the Manual”) and other supporting and related documentation is a part, and which has been designed in accordance with the [specification contained in ISO27001:2005]
A SECURITY BREACH
A SECURITY BREACH is any incident or activity that causes or may cause a break down in the availability, confidentiality or integrity of the physical or electronic information assets of the Organization.
The Information Security Manager is the Owner of this document and is responsible for ensuring that this policy document is reviewed in line with the requirements in clause 5.1.2 in the Manual.
A current version of this document is available to all members of staff on the on request and as it does not contain confidential information, it can be released to relevant external parties.
This information security policy was approved by the Trust Centre Committee and the Directors of the CIO on 08 November, 2007 and is issued on a version-controlled basis under the signature of the Information Security Manager.
Shaikh Salman Mohammed Al-Khalifa Mohammed Al-Amer
Director General of IT President of CIO
____________________________ _______________________________
On:
08 November, 2007 08 November, 2007
____________________________ _______________________________
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue
The Organisation’s information security policy is reviewed at planned intervals, or when and if significant changes occur, to ensure its continuing suitability, adequacy, and effectiveness.
Note: The Information Security Manager accepts his role as owner of this document and intends to conduct several internal audits before 30 November, 2007 to ensure all aspects of the ISMS are correct, accurate and that this ISMS accurately reflects the total CIO Trust Centre environment.
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue