Information Security Policy (Example)
Summary of Policy
Information must always be protected, regardless of its form and the way it is distributed, transmitted and stored.
Introduction
Information can exist in many different forms. It may be printed or written on paper, stored electronically, transmitted by mail or electronic devices, shown on film, or transmitted orally through communication.
Information security is the protection of information from various threats, designed to ensure the continuity of business processes, minimize business risk and maximize the return on investment and ensure business opportunities.
Scope
This policy reinforces the overall security policy of the organization.
This policy applies to all employees of the organization.
Information security goals
1. Understanding and handling strategic and operational information security risks so that they are acceptable to the organization.
2. Protect the confidentiality of customer information, product developments and marketing plans.
3. Maintaining the integrity of accounting materials.
4. Compliance of shared web services and intranets with appropriate accessibility standards.
Information Security Principles
1. The organization promotes risk taking and overcomes risks that conservatively managed organizations cannot overcome, provided that risks to information are understood, monitored, and addressed as appropriate. A detailed description of the approaches used to assess and treat risks can be found in the ISMS policy.
2. All personnel must be aware of and accountable for information security in relation to their job responsibilities.
3. Action must be taken to fund information security controls and project management processes.
4. The potential for fraud and abuse in information systems must be taken into account in the overall management of information systems.
5. Information security status reports should be available.
6. Information security risks must be monitored and action taken when changes result in unexpected risks.
7. Criteria for risk classification and risk acceptability can be found in the ISMS policy.
8. Situations that could lead the organization to violate laws and established regulations should not be tolerated.
Areas of responsibility
1. The senior management team is responsible for ensuring that information is processed appropriately throughout the organization.
2. Each senior manager is responsible for ensuring that employees working under his or her direction protect information in accordance with the organization's standards.
3. The head of security advises a group of senior managers, provides expert assistance to employees of the organization and ensures the availability of reports on the state of information security.
4. Each employee of the organization is responsible for information security as part of the performance of their job duties.
Key results
1. Information security incidents must not result in significant unexpected costs or significant disruption to business services and operations.
2. Losses due to fraud must be known and within acceptable limits.
3. Information security issues should not adversely affect customer acceptance of products and services.
Related Policies
The following detailed policies contain principles and recommendations on specific aspects of information security:
1. Information security management system (ISMS) policy;
2. Access control policy;
3. Clean desk and clean screen policy;
4. Unauthorized Software Policy;
5. Policy regarding the receipt of software files from or through external networks;
6. Mobile code policy;
7. Backup policy;
8. Policies regarding the exchange of information between organizations;
9. Policy regarding acceptable use of electronic communications;
10. Record Retention Policy;
11. Policy for the use of online services;
12. Policies related to mobile computing and communications;
13. Remote work policy;
14. Policy on the use of cryptographic controls;
15. Compliance Policy;
16. Software Licensing Policy;
17. Software Removal Policy;
18. Data protection and privacy policy.
All of these policies reinforce:
· identifying risk by providing a framework of controls that can be used to detect deficiencies in the design and implementation of systems;
· risk treatment by assisting in defining treatment options for specific vulnerabilities and threats.
Company information security policy
· 1. General Provisions
o 1.1. Purpose and purpose of this Policy
o 1.2. Scope of this Policy
o 2.1. Responsibility for information assets
o 2.2. Access control to information systems
§ 2.2.1. General provisions
§ 2.2.2. Access of third parties to the Company’s systems
§ 2.2.3. Remote access
§ 2.2.4. Internet access
o 2.3. Equipment protection
§ 2.3.1. Hardware
§ 2.3.2. Software
o 2.5. Information security incident reporting, response and reporting
o 2.6. Premises with technical information security equipment
o 2.7. Network management
o 2.7.1. Data protection and safety
o 2.8. Systems development and change management
General provisions
Information is a valuable and vital resource of YOUR_KOPANIA (hereinafter referred to as the Company). This information security policy provides for taking the necessary measures to protect assets from accidental or intentional change, disclosure or destruction, as well as to maintain the confidentiality, integrity and availability of information, and ensure automated data processing in the Company.
Every employee of the Company is responsible for maintaining information security, and the primary task is to ensure the security of all Company assets. This means that information must be protected no less reliably than any other main asset of the Company. The main goals of the Company cannot be achieved without timely and complete provision of employees with the information they need to perform their job duties.
In this Policy, the term “employee” means all employees of the Company. The provisions of this Policy apply to persons working for the Company under civil contracts, including secondees, if this is stipulated in such an agreement.
Regardless of the size of the organization and the specifics of its information system, work to ensure the information security regime usually consists of the following stages (Figure 1):
– defining the scope (boundaries) of the information security management system and specifying the goals of its creation;
– risk assessment;
– selection of countermeasures that ensure the IS regime;
- Management of risks;
– audit of the information security management system;
– development of a security policy.
DIV_ADBLOCK315">
Stage 3. Structuring countermeasures for information protection at the following main levels: administrative, procedural, software and hardware.
Stage 4. Establishing a procedure for certification and accreditation of CIS for compliance with standards in the field of information security. Determining the frequency of meetings on information security topics at the management level, including the periodic review of information security policy provisions, as well as the procedure for training all categories of users of the information system in the field of information security. It is known that the development of an organization’s security policy is the least formalized stage. However, recently this is where the efforts of many information security specialists have been focused.
Stage 5. Determining the scope (boundaries) of the information security management system and specifying the goals of its creation. At this stage, the boundaries of the system for which the information security regime must be ensured are determined. Accordingly, the information security management system is built precisely within these boundaries. The description of the system boundaries itself is recommended to be carried out according to the following plan:
– structure of the organization. Presentation of the existing structure and changes that are expected to be made in connection with the development (modernization) of an automated system;
– information system resources to be protected. It is advisable to consider the resources of an automated system of the following classes: electronic equipment, data, system and application software. All resources have value from an organization's perspective. To evaluate them, a system of criteria and a methodology for obtaining results according to these criteria must be selected;
· development of principles for classifying the company’s information assets and assessing their security;
· assessment of information risks and their management;
· training company employees in information security methods, conducting briefings and monitoring the knowledge and practical skills of implementing the security policy by company employees;
· consulting company managers on information risk management issues;
· coordination of private policies and security regulations among company divisions;
· control of the work of the company’s quality and automation services with the right to check and approve internal reports and documents;
· interaction with the company’s personnel service to verify the personal data of employees when hiring;
· organizing measures to eliminate emergency situations or emergencies in the field of information security if they occur;
Integrity of information – the existence of information in an undistorted form (unchanged in relation to some fixed state). Typically, subjects are interested in ensuring a broader property - the reliability of information, which consists of the adequacy (completeness and accuracy) of displaying the state of the subject area and the direct integrity of the information, i.e., its non-distortion.
There is a difference between static and dynamic integrity. In order to violate static integrity, an attacker can: enter incorrect data; To change the data. Sometimes the content data changes, sometimes the service information changes. Threats to dynamic integrity include violation of transaction atomicity, reordering, theft, duplication of data, or the introduction of additional messages (network packets, etc.). This activity in a network environment is called active listening.
A threat to integrity is not only the falsification or modification of data, but also the refusal of completed actions. If there is no means to ensure "non-repudiation", computer data cannot be considered as evidence. Not only data, but also programs are potentially vulnerable to integrity violations. Malware injection is an example of such a violation.
An urgent and very dangerous threat is the introduction of rootkits (a set of files installed on a system with the aim of changing its standard functionality in a malicious and secretive way), bots (a program that automatically performs a certain mission; a group of computers on which similar bots operate is called a botnet), secret attacks (malware that listens for commands on specific TCP or UDP ports) and spyware (malware aimed at compromising confidential user data. For example, Back Orifice and Netbus Trojans allow you to gain control over user systems with various MS variants -Windows.
Confidentiality threat
The threat of a confidentiality breach is that information becomes known to someone who does not have the authority to access it. Sometimes, due to the threat of breach of confidentiality, the term "leak" is used.
Confidentiality of information is a subjectively determined (attributed) characteristic (property) of information, indicating the need to introduce restrictions on the circle of subjects who have access to this information, and ensured by the ability of the system (environment) to keep this information secret from subjects who do not have the authority to access it . The objective prerequisites for such a restriction on the availability of information for some subjects lie in the need to protect their legitimate interests from other subjects of information relations.
Confidential information can be divided into subject and service information. Service information (for example, user passwords) does not relate to a specific subject area; it plays a technical role in an information system, but its disclosure is especially dangerous, since it is fraught with unauthorized access to all information, including subject information. A dangerous non-technical threat to confidentiality are methods of moral and psychological influence, such as “masquerade” - performing actions under the guise of a person with authority to access data. Unpleasant threats that are difficult to defend against include abuse of power. On many types of systems, a privileged user (for example, a system administrator) is able to read any (unencrypted) file and gain access to any user's mail.
Currently, the most common are so-called “phishing” attacks. Phishing (fishing – fishing) is a type of Internet fraud, the purpose of which is to gain access to confidential user data - logins and passwords. This is achieved by sending mass emails on behalf of popular brands, as well as personal messages within various services, for example, on behalf of banks, services (Rambler, Mail.ru) or within social networks (Facebook, Vkontakte, Odnoklassniki.ru). The targets of phishers today are clients of banks and electronic payment systems. For example, in the United States, masquerading as the Internal Revenue Service, phishers collected significant data on taxpayers in 2009.
For an enterprise, its information is an important resource. The information security policy defines the necessary measures to protect information from accidental or intentional acquisition, destruction, etc. Each employee of the enterprise is responsible for compliance with the safety policy. The goals of the security policy are:
- Implementation of continuous access to company resources for the normal performance of their duties by employees
- Providing critical information resources
- Data integrity protection
- Assignment of the degree of responsibility and functions of employees for the implementation of information security at the enterprise
- Work to familiarize users with the risks associated with information. enterprise resources
Employees should be periodically checked to ensure compliance with the information security policy. The policy rules apply to all resources and information of the enterprise. The company owns the rights to the ownership of computing resources, business information, licensed and created software, mail contents, and various kinds of documents.
For all information assets of an enterprise, there must be appropriate people with responsibility for the use of certain assets.
Access control to information systems
All duties must be performed only on computers approved for use in the enterprise. The use of your portable devices and storage devices is only possible with approval. All confidential information must be stored in encrypted form on hard drives equipped with hard drive encryption software. Employee rights to the information system should be reviewed periodically. To implement authorized access to an information resource, login to the system must be implemented using a unique username and password. Passwords must satisfy . Also, during a break, or when an employee is absent from his workplace, the screen saver function should be triggered to block the working machine.
Access of third parties to the enterprise information system
Each employee must notify the information security service that he is providing third parties with access to information network resources.
Remote access
Employees who use personal portable devices may request remote access to the enterprise information network. Employees who work off-site and have remote access are prohibited from copying data from the corporate network. Also, such employees cannot have more than one connection to different networks that do not belong to the enterprise. Computers with remote access must contain .
Internet access
Such access should only be permitted for business purposes and not for personal use. The following are recommendations:
- It is prohibited to visit a web resource that is considered offensive to society or contains sexual content, propaganda, etc.
- Employees should not use the Internet to store company data
- Employees who have accounts provided by public providers are prohibited from using enterprise equipment
- All files from the Internet must be scanned for viruses
- Internet access is prohibited for all non-employees
Equipment protection
Workers should also be mindful of implementing physical security for the equipment on which enterprise data is stored or processed. It is prohibited to manually configure hardware and software; information security service specialists are available for this.
Hardware
Users who work with confidential information must have a separate room to physically restrict access to them and their workplace.
Each employee, having received equipment from the enterprise for temporary use (business trip), must look after it and not leave it unattended. In case of loss or other emergency situations, the data on the computer must be encrypted in advance.
Formatting data before recording or destroying the media is not a 100% guarantee of device cleanliness. Also, data ports on desktop computers should be blocked, unless the employee has permission to copy data.
Software
All software installed on enterprise computers is the property of the enterprise and must be used for official tasks. It is prohibited for employees to install other software personally without agreeing with the information security service. All desktop computers must have a minimum set of software:
- Antivirus software
- Hard drive encryption software
- Email encryption software
Company employees must not:
- block or install other antivirus software
- change security settings
Electronic messages (even deleted) can be used by the government. authorities or business competitors in court as evidence. Therefore, the content of messages must strictly comply with corporate standards in the field of business ethics.
Employees cannot transmit confidential company information via mail without encryption. Employees are also not allowed to use public mailboxes. For document flow, only corporate mailboxes should be used. The following are unsolvable actions when implementing email:
- group mailing to all enterprise users
- sending personal messages using company email resources
- subscription to newsletters company mailbox
- sending materials not related to work
Incident reporting, response and reporting
All employees must report any suspected security vulnerabilities. Also, weaknesses in the security system known to the employee must not be disclosed. If there are suspicions of viruses or other destructive actions on the computer, the employee must:
- inform information security staff
- do not turn on the infected computer and do not use it
- Do not connect the computer to the enterprise information network
Premises with technical protection methods
All confidential meetings/meetings must be held only in designated rooms. Participants are prohibited from bringing recording devices (Audio/video) and mobile phones into the premises without the consent of the information security service. Audio/video recording can be made by an employee with permission from the information security service.
TSF software outside the kernel consists of trusted applications that are used to implement security functions. Note that shared libraries, including PAM modules in some cases, are used by trusted applications. However, there is no instance where the shared library itself is treated as a trusted object. Trusted commands can be grouped as follows.
- System initialization
- Identification and Authentication
- Network Applications
- Batch Processing
- System management
- User level audit
- Cryptographic support
- Virtual machine support
Kernel execution components can be divided into three component parts: the main kernel, kernel threads, and kernel modules, depending on how they will be executed.
- The core includes code that runs to provide a service, such as servicing a user system call or servicing an exception event, or an interrupt. Most compiled kernel code falls into this category.
- Kernel threads. To perform certain routine tasks, such as clearing disk caches or freeing memory by swapping out unused page blocks, the kernel creates internal processes or threads. Threads are scheduled just like normal processes, but they have no context in unprivileged mode. Kernel threads perform specific kernel C language functions. Kernel threads are located in kernel space and run only in privileged mode.
- The kernel module and device driver kernel module are pieces of code that can be loaded and unloaded into and out of the kernel as needed. They extend the functionality of the kernel without the need to reboot the system. Once loaded, kernel module object code can access other kernel code and data in the same way as statically linked kernel object code.
The kernel consists of logical subsystems that provide various functionality. Even though the kernel is the only executable program, the various services it provides can be separated and combined into different logical components. These components interact to provide specific functions. The core consists of the following logical subsystems:
- File subsystem and I/O subsystem: This subsystem implements functions related to file system objects. Functions implemented include those that allow a process to create, maintain, interact with, and delete file system objects. These objects include regular files, directories, symbolic links, hard links, files specific to certain device types, named pipes, and sockets.
- Process subsystem: This subsystem implements functions related to process management and thread management. The implemented functions allow you to create, schedule, execute and delete processes and thread subjects.
- Memory subsystem: This subsystem implements functions related to managing system memory resources. Implemented functions include those that create and manage virtual memory, including managing paging algorithms and page tables.
- Network subsystem: This subsystem implements UNIX and Internet domain sockets and the algorithms used to schedule network packets.
- IPC subsystem: This subsystem implements functions related to IPC mechanisms. Features implemented include those that facilitate controlled exchange of information between processes, allowing them to share data and synchronize their execution when interacting with a shared resource.
- Kernel module subsystem: This subsystem implements the infrastructure to support loadable modules. Implemented functions include loading, initializing, and unloading kernel modules.
- Linux Security Extensions: Linux security extensions implement various security aspects that are provided throughout the kernel, including the Linux Security Module (LSM) framework. The LSM framework serves as the basis for modules that allow the implementation of various security policies, including SELinux. SELinux is an important logical subsystem. This subsystem implements mandatory access control functions to achieve access between all subjects and objects.
- Device Driver Subsystem: This subsystem provides support for various hardware and software devices through a common, device-independent interface.
- Audit subsystem: This subsystem implements functions related to recording safety-critical events in the system. The implemented functions include those that capture every system call to record security-critical events and those that implement the collection and recording of audit data.
- KVM subsystem: This subsystem implements maintenance of the life cycle of a virtual machine. It performs instruction completion, which is used for instructions that require only small checks. For any other instruction completion, KVM calls the QEMU user space component.
- Crypto API: This subsystem provides a kernel-internal cryptographic library for all kernel components. It provides cryptographic primitives for callers.
The kernel is the main part of the operating system. It communicates directly with hardware, implements resource sharing, provides common services to applications, and prevents applications from directly accessing hardware-dependent functions. Services provided by the kernel include:
1. Management of the execution of processes, including the operations of their creation, termination or suspension, and interprocess data exchange. These include:
- Equivalent scheduling of processes for execution on the CPU.
- Splitting processes on the CPU using time-sharing mode.
- Executing the process on the CPU.
- Suspending the kernel after the allotted time quantum has expired.
- Allocation of kernel time to another process.
- Rescheduling kernel time to execute a suspended process.
- Manage process security related metadata such as UIDs, GIDs, SELinux tags, feature identifiers.
- Permission granted by the kernel to processes to share part of their address space under certain conditions; however, the kernel protects the process's own address space from external interference.
- If the system is low on free memory, the kernel frees memory by writing the process temporarily to second-level memory or swap.
- Coordinated interaction with machine hardware to establish a virtual address to physical address mapping that establishes a mapping between compiler-generated addresses and physical addresses.
- Sets limits on the resources configured by the emulation application for a given virtual machine.
- Running the virtual machine program code for execution.
- Handle the shutdown of virtual machines either by completing the instruction or delaying the completion of the instruction to emulate user space.
- Allocation of secondary memory for efficient storage and retrieval of user data.
- Allocating external memory for user files.
- Recycle unused data storage space.
- Organizing the file system structure (using clear structuring principles).
- Protecting user files from unauthorized access.
- Organizing controlled process access to peripheral devices such as terminals, tape drives, disk drives, and network devices.
- Organizing mutual access to data for subjects and objects, providing controlled access based on the DAC policy and any other policy implemented by the loaded LSM.
In this topic, I will try to compile a manual on the development of regulatory documentation in the field of information security for a commercial structure, based on personal experience and materials from the network.
Here you can find answers to questions:
- why an information security policy is needed;
- how to compose it;
- how to use it.
The need for an information security policy
This section describes the need to implement information security policy and accompanying documents not in the beautiful language of textbooks and standards, but using examples from personal experience.Understanding the goals and objectives of the information security department
First of all, the policy is necessary in order to convey to the business the goals and objectives of the company's information security. Businesses must understand that security is not only a tool for investigating data leaks, but also an assistant in minimizing the company’s risks, and therefore in increasing the company’s profitability. Policy requirements are the basis for implementing protective measures
An information security policy is necessary to justify the introduction of protective measures in a company. The policy must be approved by the highest administrative body of the company (CEO, board of directors, etc.)
Any protective measure is a compromise between risk reduction and user experience. When a security specialist says that a process should not occur in some way due to the appearance of certain risks, he is always asked a reasonable question: “How should it happen?” The security professional needs to propose a process model in which these risks are mitigated to some extent satisfactory to the business.
Moreover, any application of any protective measures regarding user interaction with the company’s information system always causes a negative reaction from the user. They do not want to relearn, read instructions developed for them, etc. Very often users ask reasonable questions:
- why should I work according to your invented scheme, and not the simple way that I have always used
- who came up with all this
If your company has an information security policy, you can give a concise and succinct answer:
this measure was introduced to comply with the requirements of the company’s information security policy, which was approved by the highest administrative body of the company
As a rule, after this the energy of most users wanes. Those who remain can be asked to write a memo to this very highest administrative body of the company. This is where the rest are eliminated. Because even if the note goes there, we can always prove the need for the measures taken to management. It’s not in vain that we eat our bread, right? There are two things to keep in mind when developing policies.
- The target audience of the information security policy is end users and top management of the company, who do not understand complex technical expressions, but must be familiar with the provisions of the policy.
- There is no need to try to cram in the unfitting, include everything you can in this document! There should only be information security goals, methods for achieving them and responsibility! No technical details unless they require specific knowledge. This is all materials for instructions and regulations.
The final document must meet the following requirements:
- brevity - a large document volume will scare off any user, no one will ever read your document (and you will more than once use the phrase: “this is a violation of the information security policy with which you were familiarized”)
- accessibility to the common man - the end user must understand WHAT is written in the policy (he will never read or remember the words and phrases “logging”, “intruder model”, “information security incident”, “information infrastructure”, “technogenic”, “anthropogenic” ", "risk factor", etc.)
In fact, everything is very simple: the information security policy should be a first-level document, it should be expanded and supplemented by other documents (regulations and instructions), which will already describe something specific.
An analogy can be drawn with the state: the first-level document is the constitution, and the doctrines, concepts, laws and other regulations existing in the state only complement and regulate the implementation of its provisions. An approximate diagram is shown in the figure.
In order not to smear the porridge on the plate, let's just look at examples of information security policies that can be found on the Internet.
| Useful number of pages* | Loaded with terms | Overall rating | |
|---|---|---|---|
| OJSC Gazprombank | 11 | Very high | |
| JSC Entrepreneurship Development Fund “Damu” | 14 | High | A complex document for thoughtful reading, the average person will not read it, and if they read it, they will not understand it and will not remember it |
| JSC NC "KazMunayGas" | 3 | Low | Easy to understand document, not overloaded with technical terms |
| JSC "Radio Engineering Institute named after Academician A. L. Mints" | 42 | Very high | A complex document for thoughtful reading, the average person will not read it - there are too many pages |
* I call useful the number of pages without a table of contents, title page and other pages that do not carry specific information
Summary
The information security policy should fit into several pages, be easy for the average person to understand, and describe in general terms the goals of information security, methods for achieving them and the responsibilities of employees.
Implementation and use of information security policy
After approval of the information security policy, you must:- familiarize all existing employees with the policy;
- familiarize all new employees with the policy (how best to do this is a topic for a separate discussion; we have an introductory course for newcomers, at which I give explanations);
- analyze existing business processes in order to identify and minimize risks;
- take part in the creation of new business processes, so as not to run after the train later;
- develop regulations, procedures, instructions and other documents that complement the policy (instructions for providing access to the Internet, instructions for providing access to restricted areas, instructions for working with company information systems, etc.);
- review the information security policy and other information security documents at least once a quarter in order to update them.
For questions and suggestions, welcome in comments and PMs.
Question %username%
As for politics, the bosses don’t like what I want in simple words. They tell me: “Besides me and you and 10 other IT employees who themselves know and understand everything, we have 2 hundred who don’t understand anything about this, half of them are pensioners.”
I followed the path of average brevity of descriptions, for example, anti-virus protection rules, and below I write something like there is an anti-virus protection policy, etc. But I don’t understand if the user signs for the policy, but again he needs to read a bunch of other documents, it seems he has shortened the policy, but it seems he hasn’t.
Here I would take the path of process analysis.
Let's say antivirus protection. Logically, it should be so.
What risks do viruses pose to us? Violation of the integrity (damage) of information, violation of the availability (downtime of servers or PCs) of information. If the network is properly organized, the user should not have local administrator rights in the system, that is, he should not have the rights to install software (and therefore viruses) into the system. Thus, pensioners fall off, since they do not do business here.
Who can reduce the risks associated with viruses? Users with domain administrator rights. Domain administrator is a sensitive role, given to employees of IT departments, etc. Accordingly, they should install antiviruses. It turns out that they are also responsible for the activities of the anti-virus system. Accordingly, they must sign the instructions on organizing anti-virus protection. Actually, this responsibility must be written down in the instructions. For example, the security guy rules, the admins execute.
Question %username%
Then the question is, what should not be included in the instructions of the Anti-Virus ZI responsibility for the creation and use of viruses (or is there an article and can not be mentioned)? Or that they are required to report a virus or strange PC behavior to the Help Desk or IT people?
Again, I would look from a risk management perspective. This smells, so to speak, of GOST 18044-2007.
In your case, “strange behavior” is not necessarily a virus. This could be a system brake or brake, etc. Accordingly, this is not an incident, but an information security event. Again, according to GOST, any person can report an event, but it is possible to understand whether it is an incident or not only after analysis.
Thus, this question of yours no longer translates into information security policy, but into incident management. Your policy should state that the company must have an incident handling system.
That is, as you can see, the administrative execution of the policy rests mainly with administrators and security officers. Users are left with custom stuff.
Therefore, you need to draw up some “Procedure for using SVT in the company,” where you must indicate the responsibilities of users. This document should correlate with the information security policy and be, so to speak, an explanation for the user.
This document can indicate that the user is required to notify the appropriate authority of abnormal computer activity. Well, you can add everything else custom there.
In total, you need to familiarize the user with two documents:
- information security policy (so that he understands what is being done and why, does not rock the boat, does not swear when introducing new control systems, etc.)
- this “Procedure for using SVT in the company” (so that he understands what exactly to do in specific situations)
Accordingly, when implementing a new system, you simply add something to the “Procedure” and notify employees about this by sending the procedure by email (or through the EDMS, if available).
Tags:
- Information Security
- Management of risks
- Security policy
