Security Policy

Introduction

This document specifies a comprehensive set of Technology Security Policy statements and guidelines to define how information security will be applied within Opus Works (OW).

Its purpose is to communicate management information security directives so as to ensure consistent and appropriate protection of information throughout Opus Works. It is a reference document to be used by employees, agents, contractors and any Security authorised third party organisations or customers that may utilise, manage or control Opus Works information or Information assets.

Applicability

This policy is applicable;

• To all employees working within Opus Works and others working on behalf of Opus Works in a similar capacity including contractors, consultants, temporary staff, student placements etc; and
• To all information/data, information processing/computer systems and networks (collectively known as “information assets”) owned by Opus Works, or those entrusted to Opus Works by third parties.

Purpose

The purpose of Information Security within Opus Works is to ensure the confidentiality, integrity and availability (CIA) of information and systems. This is achieved by the minimisation of business risk by preventing or reducing the impact of potential security incidents. Information Security further mitigates risks by allowing information to be shared in a controlled manner that ensures the protection of information and computing assets.

CIA is defined for the purposes of this document below;

• Confidentiality: Protection of sensitive information from unauthorised disclosure.
• Integrity: Maintaining accuracy and completeness of information assets.
• Availability: Ensuring that information assets and vital services are available to users whenever they are required. This policy outlines the high-level principles that must be applied to all information systems and environments. Associated documents such as standards, process and procedure documents are based upon this policy and are referenced by it.

Security Policy Principles

1. Information Security is a business enabler and aligns with business goals and objectives.
2. Information is a critical Opus Works business asset and must be protected and handled to a degree appropriate to its classification and its value to the business.
3. Information Security controls are necessary to protect Opus Works information assets against unacceptable loss.
4. Information Security permeates throughout the entire organisation.
5. Information Security is a core element of corporate governance.
6. Opus Works adheres to accepted best practices regarding Information Security Standards.

Goals

The goal of this Opus Works Security Policy is to ensure that:

• Confidentiality and Integrity of Opus Works information is assured and Business requirements for the availability of Opus Works information and information systems are met.

Achieving these goals requires that:

• Detailed security standards, process and procedure documents are produced and maintained in order to support Opus Works business functions.
• Clear division of responsibilities is defined.
• All Opus Works assets are classified in order to ensure that they are adequately secured.
• Information is protected against unauthorised access.
• All breaches of information security, actual or suspected, are investigated and reported to the ISMS Committee.
• Software and systems are only used for legitimate business purposes.
• Violation and incident management procedures are maintained.
• Regulatory and legislative requirements are met, including independent annual review of information security.
• Data protection and information security awareness is provided for all staff.
• Appropriate business and technical risk assessments are conducted for new services or when changes are made to existing services.

Compliance

The statements in this policy are mandatory unless otherwise stated. Where compliance with one or more of the policy statements or derived standards cannot be achieved, then the instance and reason for non-compliance must be justified, documented and presented to the ISMS Committee. If the appropriate system owner (SO) chooses to accept the risk for non-compliance, as determined by a Security Risk Assessment, then the exemption/deviation process must be followed.

Changes to Policy

Any request for change to the policy (additions, deletions or alterations) must be submitted to the ISMS Committee for approval or denial. Approved changes considered critical and immediate outside of the annual review may be granted and the request will be incorporated into the policy. Alternatively, an exception may be granted until the next annual review.

Organisation of Information Security

Management Commitment

The management of information security within Opus Works must function within a clearly defined organisational structure. Roles and responsibilities must be defined and maintained in order to support this security organisation. By maintaining a clearly defined structure within information security, the following organisational benefits will be achieved:

• Coherent policy definitions that are applied in all situations at all levels of the business. In achieving this, Information Security will be implemented consistently and hence more effectively.
• Clearly defined reporting lines will ensure that escalation paths provide an effective response mechanism in the management of security incidents.
• All staff members will have clearly defined roles with regard to maintaining the integrity and on-going effectiveness of Information Security. The Directors give overall strategic direction by approving and mandating the Opus Works Security Policy and delegates operational responsibilities for Information Security to the ISMS Committee. The ISMS Committee review policy throughout Opus Works and ensure that suitable policies are in place to support Opus Works security principles. Management demonstrate their commitment to Information Security by:
  • Reviewing and re-approving the policy annually.
  • Receiving and acting appropriately on management reports concerning Information Security performance metrics and security incidents.

Information Security Roles and Responsibilities

The Directors (or assigned delegate) are responsible for:

• Taking the lead on information governance as a whole by providing the overall strategic direction, support and resource necessary to ensure that information assets are identified and suitably protected throughout Opus Works.

The ISMS Committee are responsible for:

• Defining technical and non-technical Information Security Standards, Procedures and Guidelines.
• Supporting System Owners (SOs) and managers in the definition and implementation of controls, processes and supporting tools to comply with this policy and manage Information Security risks.
• Reviewing and monitoring compliance with policy statements.
• Collecting, analysing and commenting on Information Security metrics and incidents.
• Supporting SOs in the investigation and remediation of Information Security incidents or other policy violations.
• Liaising as necessary with auditors, the Directors (or assigned delegate) and external functions such as the Police when appropriate.
• Authorising access to information assets by role in accordance with their classification and business requirements.
• The administration and assignment of information security activities to authorised personnel within the organisation
• Ensuring that all Information Security initiatives are in alliance with all company-wide regulatory compliance, governance and security mandates
• Creating and distributing security policies and procedures
• Monitoring and analysing security alerts and distributing information to appropriate information security and business unit management personnel
• Creating and distributing security incident response and escalation procedures
• Administering user account and authentication management (Systems related to Opus Works customer products)

Consultants throughout Opus Works are responsible for:

• Day-to-day implementation of this policy;
• Ensuring that suitable technical, physical and procedural controls are in place in accordance with this policy and associated guidance, and are properly applied and used by all employees. In particular, they must take measures to ensure that employees:
  • Are informed of their obligations to fulfil relevant corporate policy statements by means of appropriate awareness, training and education activities.
  • Comply with the policy statements and actively support the associated controls.
  • Are monitored to assess their compliance with the policy statements and the correct operation of the associated controls, and reminded of their obligations as appropriate.
  • Providing the direction, resources, support, and review necessary to ensure that information assets are appropriately protected within their area of responsibility.
  • Informing Security and/or SOs of actual or suspected policy violations (Information Security incidents) affecting their assets.
  • Evaluating compliance with the policy and associated guidance through regular checks.

Systems Owners (SOs)

SOs are managers held accountable for the protection of particular Information Assets. SOs may delegate information security tasks to managers or other individuals but still remain accountable for them. SOs are responsible for:

• Appropriate classification and protection of the information assets.
• Specifying and funding suitable protective controls.
• Authorising access to information assets by individuals in accordance with their role, classification and business requirements.
• Undertaking or commissioning information security risk assessments for new systems or upgrades, to ensure that the Information Security requirements are properly defined and documented during the early stages of development.
• Monitoring compliance against the protection requirements associated with their assets.
• Ensuring up-to-date documentation of working practices, processes and procedures.
• Periodic access right reviews and promptly notifying the service desk of redundant/invalid User IDs, inappropriate access rights and/or if users change jobs or leave Opus Works.
• Systems Users (SUs) are all users of the Opus Works Information systems including all the above mentioned.
• System users are all required to familiarise themselves and comply with the Opus Works Acceptable Usage Policy (AUP) applicable to all system users, and details the SU’s roles and responsibilities.

Employees and Contractors

Employees and contractors utilising and having access to a broad range of Opus Works information systems are required to adhere to the policies, procedures, provisions, general guidelines outlined in this security policy document and all other applicable supporting policy and procedure documents. Information security responsibilities include, but are not limited to the following system components and any other I.T. personnel deemed critical by Opus Works:

• Network devices and supporting network protocols and activities
• Operating systems and supporting systems
• Applications and supporting systems and activities
• Databases
• Data transmission protocols
• End-user devices and technologies

Information security responsibilities include not engaging in any activity that may potentially compromise the organisation’s network infrastructure, cause harm to other related systems or pose a significant financial, operational or business threat to the organisation because of misuse of system components or any other I.T. personnel deemed critical by the organisation. Violation of these information security responsibilities will be grounds for disciplinary action.

Security Awareness

As a minimum all Opus Works employees and contractors must have reviewed and acknowledged understanding of the Opus Works Security Policy on an annual basis. Where relevant to their job functions, workers must receive appropriate training and regular updates in information security policies, standards, procedures, laws, regulations etc. This includes security requirements, legal responsibilities and business controls (such as security incident reporting processes), as well as induction training in the appropriate and secure use of Opus Works facilities before access to information is granted. Security and risk awareness, education and training activities must reflect employee needs e.g.:

• Managers must receive information on their information security management, supervisory and governance responsibilities.
• I.T. professionals, whether or not they are employed within Opus Works, must be informed about the technical aspects of information security.
• Employees who routinely handle sensitive and valuable proprietary or personal data must be reminded periodically of their confidentiality and integrity obligations.
• All employees must be briefed about information security in general terms, using current security issues, changes, incidents or near-misses, regular appraisals, team meetings etc. as convenient opportunities to raise the subject.

Exemption

A system owner (SO) may propose short term exemptions to policy or standards, while an action plan to return the system to a compliant state is underway.

The SO, working with a member of the ISMS Committee, is responsible for documenting any risks arising from the proposed exemptions and specifying any mitigating controls which could be deployed to reduce the risk. The SO must document a mitigation action plan that details how their asset will become fully compliant with the policy or standard within a documented time frame. The exemption must be documented and be included in the SO risk register. The SO will be held accountable for all mitigating controls and undertaking their agreed action plan within the agreed timeframe. All exemptions must be reviewed at least every 3 months (or longer if agreed in the action plan) by the System Owner and at least 2 members of the ISMS Committee. The ISMS Committee will maintain the list of authorised exemptions and the reasons why the exemptions exist.

Deviation

A system owner (SO) may also propose a permanent deviation to policy or standards for an information asset under their remit, where no action plan exists or is being pursued to return the system to complaint state. The ISMS Committee, working with the SO, are responsible for documenting any risks arising from the proposed deviation and specifying any mitigating controls which could be deployed to reduce the risk. The deviation must be documented and be included in the System Owner Log and where appropriate, corporate risk register. The SO is responsible for any and all risks introduced to Opus Works as a result of their deviation. All Deviations must be reviewed at least every 12 months by the ISMS Committee and the respective SO. The ISMS Committee will maintain a list of authorised deviations and the reasons why the deviation exist.

SUPPORTING DOCUMENTATION

This security policy should be read in collaboration with the Acceptable Usage Policy (AUP) and supporting technical / configuration policies highlighted below

Formal Risk Assessment

Security Risk Assessments are expected to be carried out for all new systems and upgrades, either in-house or 3rd party.

Identification of risk from third party access

Third parties who require access to Opus Works services may be asked to adhere to the requirements of the Opus Works Acceptable Usage Policy (AUP).

Access Control and Password management

Users are required to follow good security practices in the selection, use and management of their passwords and to keep them confidential. They should all be assigned a unique ID and be assigned levels of access to systems and data based on minimum permissions necessary in order to deliver their role. Further information can be found in the following:

• Access Control & Password Policy

Change management

Controls must be in place to ensure system changes are duly authorised by the tech lead, risk assessed and approved for production and staging systems.

Physical Security

Physical security is in place in the Opus Works offices to protect Infintity Works physical and data assets and just as importantly our employees. This is facilitated through the use of intruder alarms, physical access control systems, CCTV and Wireless Access Point Testing as documented in the:

• Physical Security Controls Policy

Responsibility for Policy Maintenance

The ISMS Committee are responsible for ensuring that the aforementioned policy is kept current as needed for purposes of compliance.

back