qweqwe
Twinit - Information Security Policy
Information Security Policy, version 003
Status:
☐ Working Draft
☐ Approved
☒ Adopted
Document Owner:
Managing Board
Last Review Date:
January 2023
Information about the Document | |||
|---|---|---|---|
Document Type | Policy Document | ||
Document Name: | Information Security Policy | ||
Gvantsa Davitaia
Document |
Version: |
003
Author Position:
IT Processes Analyst
001 | ||
Version Date: | ||
01. |
03. |
2024 | ||
Review Authority: | ||
Directorate | Review Date: |
03. |
03.2024 | |||
Status: | Approved | Document Owner: | Directorate |
Aim of the Document
The policy document describes the information technology rules and guidelines available at Twinit SHARAAPP LLC that serve the purposes of the organization. The policy is the rule by which procedures are developed; The policy document contains the content of the policy, identifies the person responsible for its implementation and justifies its need.
...
Contents
...
| Table of Contents |
|---|
...
The present Policy document is aimed to define the security requirements for the proper and secure use of the Information Assets in Twinit LLC (may be referred as “Company” hereafter). Its goal is to protect the Company and users to the maximum extent possible against security threats that could jeopardize their integrity, privacy, availability, reputation and business outcomes.
2. Aim
The aim is to define the directions, principles and basic rules for information security management within Twinit LLC.
3. Scope
Present Policy applies to the entire Company.
Users of this document are all employees of Twinit LLC, as well as contractors, vendors and third parties who have access to Twinit LLC’s information systems and information.
4. Definitions of the Terminology
Confidentiality – implies access to information only by authorized entities or processes;
Integrity – accuracy and completeness of the asset, the unmistakable knowledge that the underlying data and information is correct, is not modified by unauthorized entities and reflects accurate facts during its lifecycle;
Availability – the accessibility and usability of the asset as requested by the authorized entity. True knowledge that information will be made available to authorized users, whenever necessary;
Information security – Activities that provide access, unity, authentication, privacy and continuous work of the information and information systems. The process which ensures the maintenance and protection of the confidentiality, integrity and accessibility of information and information systems;
Information asset (hereinafter referred to as "asset") - all information and knowledge (in particular information storage, processing and transmission technologies, employees and their knowledge of information processing) that are valuable and important for Twinit LLC.
Control - a set of actions and technologies designed to reduce the likelihood and/or adverse consequences of a threat.
Information Security Policy (hereinafter referred to as "the Policy") - a set of norms, instructions, principles and practices provided by best practices, that serve to ensure information security and conform to international standards in the field of data protection;
Authorized User - a person who has the consent of the relevant authorized person to use and manage information and information systems.
Owner - a person or entity having the proven right to manage, develop, support, use and protect an asset. "Owner" does not mean that it has any possession rights over the asset;
Risk - the possibility of an event that may adversely affect the pursuit and achievement of the objectives. It is measured by combining the consequences of such an event
|
...
Reviewed By
...
Reason/Comments
...
001
...
19.08.2021
...
Salome Khaindrava
Niko Khvichia
Ana Jgerenaia
Gia Jgarkava
...
First version of the document
...
002
...
04.01.2022
...
Salome Khaindrava
Niko Khvichia
Ana Jgerenaia
Gia Jgarkava
...
Approved version
...
003
...
17.01.2023
...
Salome Khaindrava
Niko Khvichia
Ana Jgerenaia
Gia Jgarkava
...
Document references updates
Contents
| Table of Contents | ||
|---|---|---|
|
...
|
1. Purpose, scope and users
The present Policy document is aimed to define the security requirements for the proper and secure use of the Information Assets in SHARAAPP LLC (may be referred as “Company” hereafter). Its goal is to protect the Company and users to the maximum extent possible against security threats that could jeopardize their integrity, privacy, availability, reputation and business outcomes.
2. Aim
The aim is to define the directions, principles and basic rules for information security management within SHARAAPP LLC.
3. Scope
Present Policy applies to the entire Company.
Users of this document are all employees of SHARAAPP LLC, as well as contractors, vendors and third parties who have access to SHARAAPP LLC’s information systems and information.
4. Definitions of the Terminology
Confidentiality – implies access to information only by authorized entities or processes;
Integrity – accuracy and completeness of the asset, the unmistakable knowledge that the underlying data and information is correct, is not modified by unauthorized entities and reflects accurate facts during its lifecycle;
Availability – the accessibility and usability of the asset as requested by the authorized entity. True knowledge that information will be made available to authorized users, whenever necessary;
Information security – Activities that provide access, unity, authentication, privacy and continuous work of the information and information systems. The process which ensures the maintenance and protection of the confidentiality, integrity and accessibility of information and information systems;
Information asset (hereinafter referred to as "asset") - all information and knowledge (in particular information storage, processing and transmission technologies, employees and their knowledge of information processing) that are valuable and important for SHARAAPP LLC.
Control - a set of actions and technologies designed to reduce the likelihood and/or adverse consequences of a threat.
Information Security Policy (hereinafter referred to as "the Policy") - a set of norms, instructions, principles and practices provided by best practices, that serve to ensure information security and conform to international standards in the field of data protection;
Authorized User - a person who has the consent of the relevant authorized person to use and manage information and information systems.
Owner - a person or entity having the proven right to manage, develop, support, use and protect an asset. "Owner" does not mean that it has any possession rights over the asset;
Risk - the possibility of an event that may adversely affect the pursuit and achievement of the objectives. It is measured by combining the consequences of such an event (impact) and its probability of occurrence;
...
Information Security Incident –information security event or series of events, unwanted or unexpected, that compromise Information Security and threaten confidentiality, integrity or availability of assets.
Managing Board Directorate – founding partners of Twinit SHARAAPP LLC.
Business Service – Service that is delivered to business customers by business units. A business service may be supported by one or more IT service(s), and in many cases may consist almost entirely of IT services.
5. Introduction
5.1. Information Security Policy states the types and levels of security over the information technology resources and capabilities that must be established and operated in order for those items to be considered secure.
5.2. Twinit SHARAAPP LLC recognizes that global access to information provides many opportunities but also many challenges. The commercialization and ubiquity of the internet has allowed hackers, organized crime and other malicious actors to attack free and open networks. We are now dependent on a secure environment to undertake our core business and the protection of our information systems and information assets is essential. The Policy is built into Twinit SHARAAPP LLC’s risk management framework at the highest level.
5.3. Information security is defined by the practices that make it possible to ensure that the information under the responsibility of Twinit SHARAAPP LLC is only accessed or modified, during its storage, processing or transmission, by authorized individuals, entities or systems. These practices include the necessary measures to detect, document and respond to threats to the integrity, availability and confidentiality of information. Information is a vital and valuable asset of Twinit SHARAAPP LLC and its business activities. In some cases such value can be directly converted into a monetary amount and in others is associated with qualitative factors, such as reputation. The breach of its confidentiality, integrity or availability, while being treated by the end users, may lead to significant losses to the organization.
Managing the Information Security
6.1. Objectives and measurement
6.1.1. General objective of the Information Security Policy is to protect information utilized by the Company in attaining its business goals. Information security must be managed in line with Twinit SHARAAPP LLC’s risk management and business continuity, thus by reducing the occurrence and potential damage caused by potential information security incidents.
6.1.2. The following goals are pursued to safeguard the confidentiality, integrity and availability of all information assets. It is the policy of Twinit SHARAAPP LLC to ensure:
6.1.2.1. The compliance with legislation, regulations and further applicable standards will be met;
6.1.2.2. Comply with the requirements of confidentiality, integrity and availability satisfactory for Twinit SHARAAPP LLC’s business goals, in particular with the needs of its members;
6.1.2.3. Implement controls to protect Twinit SHARAAPP LLC’s information assets from theft, intrusion, abuse or other forms of illicit treatment;
6.1.2.4. Promote a culture of awareness and commitment to information security amongst the Board of Directors, Senior Management and employees, motivating them to become aware and take responsibility for their intervention, so as to minimize the risk of security incidents;
6.1.2.5. Ensure the availability and reliability of the equipment, infrastructures and systems that support Twinit SHARAAPP LLC’s activity;
6.1.2.6. Ensure that Twinit SHARAAPP LLC has the ability to continue its activity in case any serious security incident occurs, under the conditions laid down in the specific applicable rules and procedures;
...
6.1.2.9. Ensure that external suppliers/parties fit Twinit SHARAAPP LLC’s security needs and requirements;
6.1.2.10. Reduce the damage caused by information security incidents at Twinit SHARAAPP LLC, as well as ensure that they are reported and investigated under the terms defined for that purpose;
...
6.1.2.13. Information security goals are in line with the Company’s business objectives, strategy and business plans;
6.1.3. The Company’s Managing Board Directorate sets responsibilities for continuous review, measurement and improvement of these information security objectives.
6.2. Code of Conduct
6.2.1. Twinit SHARAAPP LLC should define rules with respect to information security in its Code of Conduct, applicable to all employees, suppliers and other external entities, specifically in the following principles:
...
6.2.1.2 Usage of technological resources and systems provided by Twinit SHARAAPP LLC;
6.2.1.3. Treatment of information and personal data under the responsibility of Twinit SHARAAPP LLC;
6.2.1.4. Treatment of breaches or violations of the present Policy or of further information security policies and procedures.
6.3. Human Resources
Information security is applicable to all Twinit SHARAAPP LLC’s employees, across all departments, and specific responsibilities shall be assigned to certain functions. Twinit SHARAAPP LLC should promote the necessary training and duly inform its employees, as well as employees of suppliers and other external entities so that they are able to assume their responsibilities under the scope of information security according to Information Security Policy.
6.4. Information Asset Management
The information managed by Twinit SHARAAPP LLC, its processes and support infrastructures, employees, third parties, offices, equipment, documents, systems, applications and networks are valuable information assets to the organization. As so, each of these assets should be properly protected in compliance with the information security procedures approved by Twinit SHARAAPP LLC, throughout its entire life cycle, which includes its creation, handling, storage, transportation and disposal. The information managed by Twinit SHARAAPP LLC should be used in a transparent manner and only for the purpose for which it was created or entrusted.
6.5. Information Systems
Since information is mostly stored in technological files, special attention should be paid to the specific procedures that manage the information systems, as well as the assets that support them. Twinit SHARAAPP LLC’s information systems should be designed, specified, developed, tested, deployed and managed to take into account the needs and requirements of information security – confidentiality, integrity and availability.
6.6. Information Security Risk Management
One of the key areas of Twinit SHARAAPP LLC is the continuous information security risk management – identification, evaluation and treatment of risks, inherent to its activity, to which the organization’s information assets are exposed – as a tool of management of the company. Risk management includes the implementation of security controls and mechanisms that aim to mitigate or limit the potential damages caused by the exploitation of assets’ vulnerabilities, in order to minimize the occurrence of incidents and ensure an adequate security level that meets the risk level that Twinit SHARAAPP LLC is willing to accept. Such measures should be designed in accordance with Twinit SHARAAPP LLC’s business goals and responsibilities, considering efficiency, cost and applicability. Twinit SHARAAPP LLC risk management also incorporates the monitoring of operational risks to which Twinit SHARAAPP LLC is exposed, through the implementation of procedures for evaluating the level of exposure and the risk limit considered acceptable in view of the organization’s objectives.
6.7. Incident Management and Business Continuity
All events that may jeopardize business operations or compromise information security will be treated as security incidents, in accordance with the incident management process approved by Twinit SHARAAPP LLC. The availability of information, not neglecting the responsibility towards the remaining information security commitments, shall be assured by the implementation of a response plan to disruptive incidents.
6.8. Information Security Compliance Requirements
6.8.1. This Policy must be compliant with legal and regulatory requirements relevant to the organization in the field of information security, as well as with contractual obligations.
6.8.2. A detailed list of all legal, regulatory and contractual requirements are provided in Twinit SHARAAPP LLC’s List of Legal, Regulatory and Contractual Obligations.
...
6.8.4. Compliance with internationally recognized standards.
6.9. Information Security Controls
6.9.1. The process of selecting the controls (safeguards) is primarily based on mandatory legal and regulatory requirements.
6.10. Policy Communication
The Managing Board Directorate has to ensure that all employees of Twinit SHARAAPP LLC, as well as contractors, vendors and third parties, are familiar with this Policy.
6.11. Monitoring and Incident Reporting
6.11.1. Twinit SHARAAPP LLC keeps the right to perform technical monitoring of execution and enforcement of this Policy and underlining Policies and Procedures, in conformance with Georgian privacy and personal data protection laws and regulations.
6.11.2. All security incidents or weaknesses as well as violations of this Policy must be immediately reported to Managing BoardDirectorate. Risks related to cyber-attacks must be immediately reported to Managing BoardDirectorate.
7. Responsibilities
7.1. Protection of integrity, availability, and confidentiality of assets is the responsibility of the owner of each asset. All employees, contractors, vendors and third parties are responsible for following this Policy.
7.2. Responsibilities are the following:
7.2.1.
...
Directorate
7.2.1.1. The Managing Board Directorate must review the policy at least once a year or each time a significant change occurs, and prepare minutes from that meeting. The purpose of the management review is to establish the suitability, adequacy and effectiveness of the Information Security Policy.
7.2.1.2. Managing Board Directorate is responsible for ensuring that the Information Security Policy is implemented and maintained, and for ensuring all necessary resources are available.
7.2.1.3. Managing Board Directorate is responsible for information security monitoring and incident management.
7.2.1.4. Successfully securing Twinit SHARAAPP LLC information systems requires that the various individual employees and groups consistently adhere to a shared vision for security.
7.2.1.5. Managing Board Directorate works with managers, administrators and users to develop security policies, standards and procedures to help protect the assets of Twinit SHARAAPP LLC.
7.2.1.6. Managing Board Directorate is dedicated to security planning, education and awareness. Specific responsibilities of the Managing Board Directorate include:
7.2.1.6.1. Create new information security policies and procedures when needs arise. Maintain and update existing information security policies and procedures. Review the policy on an annual basis and assist management with the approval process.
...
7.2.1.6.7. Develop and adopt Information Security Risk Assessment and Treatment Methodology, as well as coordinate information risk assessments.
7.2.2. IT Operations
7.2.2.1. Twinit SHARAAPP LLC IT Operations is the direct link between information security policies and the network, systems and data. Responsibilities of the IT Operations Team include but are not limited to:
7.2.2.1.1. Applying Twinit SHARAAPP LLC information security policies and procedures as applicable to all information assets.
7.2.2.1.2. Administering user account and authentication management.
7.2.2.1.3. Assisting the Managing Board Directorate with monitoring and controlling all access to Twinit SHARAAPP LLC data.
7.2.2.1.4. Restrict physical access to publicly accessible network jacks, wireless access points, gateways and handheld devices.
7.2.2.1.5. Hardening devices and systems under their management.
7.2.2.1.6. Report to the Managing Board Directorate any breaches or attempts of breaches of policies/standards/procedures, weaknesses or vulnerabilities.
7.2.3. Software Developers
7.2.3.1. Software development process must comply with Secure Software Development Policy.
...
7.2.3.4. Software developers must avoid changes in a production environment or changes in other environments, which may harm confidentiality, integrity and availability of production data and bring damage to the Company. For any change, Change Management Process must be followed.
7.2.4. Business Service Owners
7.2.4.1. Business Service owners are responsible to the rollout of information security awareness and training programs to vendors and third parties accessing Company systems and information.
7.2.4.2. Business Service owners play crucial part in risk management process and their rights and responsibilities within this process.
7.2.5. Employees
7.2.5.1. Each employee of Twinit SHARAAPP LLC must realize the fundamental importance of information resources and recognize their responsibility for the safekeeping of those resources. Employees must guard against abuses that disrupt or threaten the viability of all systems. The following are specific responsibilities of all Twinit SHARAAPP LLC information system users:
7.2.5.1.1. Understand what the consequences of their actions are with regard to computing security practices and act accordingly. Embrace the “Security is everyone’s responsibility” philosophy to assist Twinit SHARAAPP LLC in meeting its business goals.
...
7.2.5.1.3. Report any suspicious events, incidents, attempts or actual violations of Twinit SHARAAPP LLC policies, standards and procedures to Managing Board Directorate by opening Informational security ticket on Twinit Portal Customer Support.
8. Disciplinary Actions
In case of Information Security procedures violations, the employee under question might be subject to disciplinary measures, including and not limited to termination of the employment contract.
9. Validity and document management
9.1. This document is valid as of the day of approval. The owner of this document is CEODirectors. This document must be reviewed at least once a year or each time a significant change occurs.
...
9.3. Objectives for individual security controls or groups of controls are derived from information security objectives and approved by CEODirectors.
9.4. All the objectives must be reviewed and measurements performed at least once a year or each time a significant change occurs. Analysis and evaluation of the measurement results and reporting is delivered to Managing Board Directorate as input materials for the Management Review.
9.5. Management of Information Security is in line with Business Continuity processes, which are prescribed in the Twinit SHARAAPP LLC’s Business Continuity Management Policy.
...
.
...
Document #
...
Name
...
Document Owner
...
04-001-006
...
Document Taxonomy Standard
...
Managing Board
...
05-001-002
...
Security Incident Management Process
...
Managing Board
...
03-001-003
...
Information Security Policy
...
Managing Board
...
07-001-003
...
Incident Communication Guide
...
Managing Board
...
05-002-003
...
Change Management Process
...
Managing Board
...
13-001-003
...
Disaster Recovery Plan
...
Managing Board
...
06-003-001
...
Electronic Data Disposal Procedure
...
Managing Board
...
06-004-001
...
Mobile Devices Procedure
...