Information about the Document | |||
---|---|---|---|
Document Type | Policy Document | ||
Document Name: | Information Security Policy | ||
Document Version: | 001 | ||
Version Date: | 01.03.2024 | ||
Review Authority: | Directorate | Review Date: | 03.03.2024 |
Status: | Approved | Document Owner: | Directorate |
Aim of the Document
The policy document describes the information technology rules and guidelines available at SHARAAPP LLC that serve the purposes of the organization. The policy is the rule by which procedures are developed; The policy document contains the content of the policy, identifies the person responsible for its implementation and justifies its need.
Contents
Table of Contents | ||
---|---|---|
|
1. Purpose, scope and users
The present Policy document is aimed to define the security requirements for the proper and secure use of the Information Assets in SHARAAPP LLC (may be referred as “Company” hereafter). Its goal is to protect the Company and users to the maximum extent possible against security threats that could jeopardize their integrity, privacy, availability, reputation and business outcomes.
2. Aim
The aim is to define the directions, principles and basic rules for information security management within SHARAAPP LLC.
3. Scope
Present Policy applies to the entire Company.
Users of this document are all employees of SHARAAPP LLC, as well as contractors, vendors and third parties who have access to SHARAAPP LLC’s information systems and information.
4. Definitions of the Terminology
Confidentiality – implies access to information only by authorized entities or processes;
...
Business Service – Service that is delivered to business customers by business units. A business service may be supported by one or more IT service(s), and in many cases may consist almost entirely of IT services.
5. Introduction
5.1. Information Security Policy states the types and levels of security over the information technology resources and capabilities that must be established and operated in order for those items to be considered secure.
...
5.3. Information security is defined by the practices that make it possible to ensure that the information under the responsibility of SHARAAPP LLC is only accessed or modified, during its storage, processing or transmission, by authorized individuals, entities or systems. These practices include the necessary measures to detect, document and respond to threats to the integrity, availability and confidentiality of information. Information is a vital and valuable asset of SHARAAPP LLC and its business activities. In some cases such value can be directly converted into a monetary amount and in others is associated with qualitative factors, such as reputation. The breach of its confidentiality, integrity or availability, while being treated by the end users, may lead to significant losses to the organization.
Managing the Information Security
6.1. Objectives and measurement
6.1.1. General objective of the Information Security Policy is to protect information utilized by the Company in attaining its business goals. Information security must be managed in line with SHARAAPP LLC’s risk management and business continuity, thus by reducing the occurrence and potential damage caused by potential information security incidents.
...
6.1.3. The Company’s Directorate sets responsibilities for continuous review, measurement and improvement of these information security objectives.
6.2. Code of Conduct
6.2.1. SHARAAPP LLC should define rules with respect to information security in its Code of Conduct, applicable to all employees, suppliers and other external entities, specifically in the following principles:
...
6.2.1.4. Treatment of breaches or violations of the present Policy or of further information security policies and procedures.
6.3. Human Resources
Information security is applicable to all SHARAAPP LLC’s employees, across all departments, and specific responsibilities shall be assigned to certain functions. SHARAAPP LLC should promote the necessary training and duly inform its employees, as well as employees of suppliers and other external entities so that they are able to assume their responsibilities under the scope of information security according to Information Security Policy.
6.4. Information Asset Management
The information managed by SHARAAPP LLC, its processes and support infrastructures, employees, third parties, offices, equipment, documents, systems, applications and networks are valuable information assets to the organization. As so, each of these assets should be properly protected in compliance with the information security procedures approved by SHARAAPP LLC, throughout its entire life cycle, which includes its creation, handling, storage, transportation and disposal. The information managed by SHARAAPP LLC should be used in a transparent manner and only for the purpose for which it was created or entrusted.
6.5. Information Systems
Since information is mostly stored in technological files, special attention should be paid to the specific procedures that manage the information systems, as well as the assets that support them. SHARAAPP LLC’s information systems should be designed, specified, developed, tested, deployed and managed to take into account the needs and requirements of information security – confidentiality, integrity and availability.
6.6. Information Security Risk Management
One of the key areas of SHARAAPP LLC is the continuous information security risk management – identification, evaluation and treatment of risks, inherent to its activity, to which the organization’s information assets are exposed – as a tool of management of the company. Risk management includes the implementation of security controls and mechanisms that aim to mitigate or limit the potential damages caused by the exploitation of assets’ vulnerabilities, in order to minimize the occurrence of incidents and ensure an adequate security level that meets the risk level that SHARAAPP LLC is willing to accept. Such measures should be designed in accordance with SHARAAPP LLC’s business goals and responsibilities, considering efficiency, cost and applicability. SHARAAPP LLC risk management also incorporates the monitoring of operational risks to which SHARAAPP LLC is exposed, through the implementation of procedures for evaluating the level of exposure and the risk limit considered acceptable in view of the organization’s objectives.
6.7. Incident Management and Business Continuity
All events that may jeopardize business operations or compromise information security will be treated as security incidents, in accordance with the incident management process approved by SHARAAPP LLC. The availability of information, not neglecting the responsibility towards the remaining information security commitments, shall be assured by the implementation of a response plan to disruptive incidents.
6.8. Information Security Compliance Requirements
6.8.1. This Policy must be compliant with legal and regulatory requirements relevant to the organization in the field of information security, as well as with contractual obligations.
...
6.8.4. Compliance with internationally recognized standards.
6.9. Information Security Controls
6.9.1. The process of selecting the controls (safeguards) is primarily based on mandatory legal and regulatory requirements.
6.10. Policy Communication
The Directorate has to ensure that all employees of SHARAAPP LLC, as well as contractors, vendors and third parties, are familiar with this Policy.
6.11. Monitoring and Incident Reporting
6.11.1. SHARAAPP LLC keeps the right to perform technical monitoring of execution and enforcement of this Policy and underlining Policies and Procedures, in conformance with Georgian privacy and personal data protection laws and regulations.
6.11.2. All security incidents or weaknesses as well as violations of this Policy must be immediately reported to Directorate. Risks related to cyber-attacks must be immediately reported to Directorate.
7. Responsibilities
7.1. Protection of integrity, availability, and confidentiality of assets is the responsibility of the owner of each asset. All employees, contractors, vendors and third parties are responsible for following this Policy.
7.2. Responsibilities are the following:
7.2.1. Directorate
7.2.1.1. The Directorate must review the policy at least once a year or each time a significant change occurs, and prepare minutes from that meeting. The purpose of the management review is to establish the suitability, adequacy and effectiveness of the Information Security Policy.
...
7.2.1.6.7. Develop and adopt Information Security Risk Assessment and Treatment Methodology, as well as coordinate information risk assessments.
7.2.2. IT Operations
7.2.2.1. SHARAAPP LLC IT Operations is the direct link between information security policies and the network, systems and data. Responsibilities of the IT Operations Team include but are not limited to:
...
7.2.2.1.6. Report to the Directorate any breaches or attempts of breaches of policies/standards/procedures, weaknesses or vulnerabilities.
7.2.3. Software Developers
7.2.3.1. Software development process must comply with Secure Software Development Policy.
...
7.2.3.4. Software developers must avoid changes in a production environment or changes in other environments, which may harm confidentiality, integrity and availability of production data and bring damage to the Company. For any change, Change Management Process must be followed.
7.2.4. Business Service Owners
7.2.4.1. Business Service owners are responsible to the rollout of information security awareness and training programs to vendors and third parties accessing Company systems and information.
7.2.4.2. Business Service owners play crucial part in risk management process and their rights and responsibilities within this process.
7.2.5. Employees
7.2.5.1. Each employee of SHARAAPP LLC must realize the fundamental importance of information resources and recognize their responsibility for the safekeeping of those resources. Employees must guard against abuses that disrupt or threaten the viability of all systems. The following are specific responsibilities of all SHARAAPP LLC information system users:
...
7.2.5.1.3. Report any suspicious events, incidents, attempts or actual violations of SHARAAPP LLC policies, standards and procedures to Directorate by opening Informational security ticket on Customer Support.
8. Disciplinary Actions
In case of Information Security procedures violations, the employee under question might be subject to disciplinary measures, including and not limited to termination of the employment contract.
9. Validity and document management
9.1. This document is valid as of the day of approval. The owner of this document is Directors. This document must be reviewed at least once a year or each time a significant change occurs.
...