Information Security Policy
1. Information Security Policy
This policy uses principles defined by internationally recognised standards published by standards organisations such as the International Organization for Standardisation (ISO), Information Systems Audit and Control Association (ISACA), IT Governance Institute (ITGI) as well as globally recognised organisations such as the Computer Security Institute (CSI), Information Systems Security Association (ISSA) and others. This policy will continue to represent the most currently recognised international standards dictated by these organisations and others as the needs of the information security environment and threat landscape changes.
All information, regardless of the form or format, which is created, acquired or used in support of Law In Order’s business activities, must only be used for Law In Order company business. Law In Order information is an asset and must be protected through its effective lifecycle. It must be maintained in a secure, accurate, and reliable manner and be readily available for authorised use. Information must be protected based on its importance to business activities, risks, and security best practices.
Information is among Law In Order’s most valuable assets. The quality and availability of that information is critical to Law In Order’s ability to carry out its missions. Therefore, the security of Law In Order’s information, and of the technologies and systems that support it, is the responsibility of everyone concerned. Each authorised user of Law In Order information has an obligation to preserve and protect Law In Order information in a consistent and reliable manner.
Information security management enables information to be shared while ensuring protection of that information and its associated computer assets including the network over which the information travels. Law In Order technology staff and/or management personnel supporting business critical systems are responsible for ensuring appropriate physical, logical and procedural controls are in place on these assets to preserve the security properties of confidentiality, integrity, availability and privacy of Law In Order information.
Individual accountability is the cornerstone of any security program. Without it, there can be no security. Therefore, principles outlined in this policy and all related policies identified here by information security area must be adhered to.
All Law In Order information must be protected from unauthorised access to help ensure the information’s confidentiality and maintain its integrity. Information owners will classify and secure information within their jurisdiction based on the information’s value, sensitivity to disclosure, consequences of loss or compromise, and ease of recovery.
Appropriate retention and data recovery plans are required to ensure the reasonable and timely recovery of Law In Order information, applications, systems and security, should that information become corrupted, destroyed, or unavailable for a defined period.
2. Information Security Team
The creation and maintenance of an information security team responsible for implementing security governance, policies and procedures, is essential for ensuring a favourable and relevant security posture and for achieving optimized resource utilization. The Information Security function is led by Law In Order’s Head of Information Security to balance security with technology and business requirements.
The Information Security team is also responsible for ensuring that the information security assessment of external parties is carried out by Law In Order or a professional third-party in accordance with Law In Order’s requirements.
3. Risk Assessment and Treatment
A risk assessment is an ongoing business process that identifies, quantifies, and prioritises risks against criteria for risk acceptance and objectives relevant to Law In Order.
Risk assessments will be conducted to identify threats that could harm and negatively impact critical operations and assets. Threats include such things as intruders, criminals, disgruntled employees, terrorists, and natural disasters. Information security risk assessment involves at minimum:
- Estimating the likelihood that identified threats will materialise.
- Ranking the value, sensitivity, and criticality of the operations and assets that could be affected should a threat materialise in order to determine which operations and assets are critical.
- Once the most critical and sensitive assets and operations are identified, estimate the potential losses or damage that could occur if a threat materialises, including recovery, remediation and restoration costs.
- Identifying cost-effective actions to mitigate or reduce the risk. These actions include implementing new organisational policies and procedures as well as technical or physical controls.
- Risk types include but may not be limited to the following: reputation, financial, business operations, ID theft, etc.
- Documenting the results and, in conjunction with the Law In Order Risk Management team and the Head of Information Security developing a risk treatment remediation plan to mitigate these risks.
Business processes defined as critical (by Law In Order) must include systematic and proven risk assessment methods. Participants in the risk assessment process must identify, quantify and prioritize risks in light of objectives and Law In Order risk criteria.
The risk assessment method must include a risk treatment remediation effort to mitigate identified risks, using appropriate administrative, technical and physical controls. Acceptable risk treatment strategies include:
- Documenting the risk treatment choices made and rationale;
- Transfer of (some) risk mitigation to a third party, such as insurance; and,
- Knowingly and objectively accepting some risks
4. Asset Management
To achieve and maintain appropriate protection of organisational information and computing assets, Law In Order requires an inventory of these assets. For computing hardware and software assets, Law In Order mandates the creation and maintenance of an inventory list and ownership of these non-perishable computing hardware and software assets. At a minimum, all assets listed in an IT inventory list must also be included in Law In Order’s Fixed Assets Accounting Ledger. The CIO and CFO are responsible for ensuring that the two lists are in agreement.
All information assets must have an information owner established within the Law In Order lines of business who is responsible for assigning an initial information classification in accordance with Law In Order’s Data Protection Policy, and make all decisions regarding controls, access privileges of users, and daily decisions regarding information management.
A periodic review of data classification assessments may be required to determine its relative value, risk of compromise, etc. Based on the results of the assessment, information may be reclassified into different Law In Order information classification categories during its lifecycle.
In the course of conducting business we may collect and maintain personal information about individuals, be it our employees or consumers. We may receive such information from a number of sources, including our clients. Personal Information is defined as any information relating to an individual that (i) may identify a specific individual directly or (ii) indirectly when the individual’s identity can be reasonably ascertained from such information when combined with or used in conjunction with other available information. Examples of personal information include, without limitation, a person’s name, home, work and/or e-mail addresses, residential and/or mobile telephone numbers, marital status, and summary details of dependents. Personal Information is classified as “Confidential” under the Data Protection Policy.
Sensitive Personal Information is defined by data protection laws. It is a subset of Personal Information, and may include a person’s birth date, payroll details (including salary/remuneration, pension details), social security number, tax number or other national identifier, driver’s license number, credit or debit card number or financial account number in combination with any required security code, email address in combination with password or security question and answer that would permit access to an online account, physical or mental health or medical information, racial or ethnic origin, sexual lifestyle or orientation, political opinions, religious or philosophical beliefs, trade union membership, or commission of or proceedings related to a criminal offense. Sensitive Personal Information is classified as “Confidential” under Data Protection Policy.
6. Human Resources Security
Law In Order works to reduce the risk of human error and misuse of Law In Order information and facilities to an acceptable level. In alignment with Human Resources Policies, Law In Order must ensure that employees, contractors and external party users understand their respective responsibilities, and are suitable for roles for which they are considered.
Prior to employment
In accordance with existing Human Resources policies, managers must ensure that roles and responsibilities associated with information security are clearly defined and documented in accordance with the Law In Order’s Information Security Policy. Police checks will be conducted prior to employment offers being made. Where applicable, job descriptions must include security related expectations.
Law In Order management is required to ensure that all employees and external parties (contractors, third-party users, etc.) are aware of information security threats and concerns, their responsibilities and liabilities in this area, and employees have access only to information relevant to their responsibilities. Management will ensure proper training and security awareness relevant to the employee’s job description. Further, management will impose discipline on employees who have committed a security breach.
Termination or change in employment
Termination of employment, discontinuation of access to company applications and data, and return of company property will be handled in accordance with Law In Order termination process and procedure.
7. Physical and Environmental Security
Critical Law iI Order information processing and storage facilities must be housed in environmentally secure areas protected by a defined security perimeter, with appropriate security barriers and some form of access controls. Physical protection measures will be implemented to protect the facility from unauthorized access, damage and interference. The CIO and Global Head of Infrastructure are responsible for ensuring that:
- Critical Law In Order information processing equipment is properly protected from power failures and other disruptions caused by failures in supporting utilities;
- Telecommunications and data cables are reasonably protected from interception;
- Removal of property is controlled and done in accordance with fully developed and authorised procedures; and,
- Ensure the secured removal of all data from information processing and storage devices prior to their disposal.
8. Communications and IT Operations Management
All Law In Order networks and operation of information processing must implement appropriate Law In Order security controls to ensure the integrity of the data flowing across Law In Order networks. If there is a business need, additional measures to ensure the confidentiality of the data will also be implemented.
The Head of Information Security will ensure that measures are in place to mitigate any new Law In Order security risks created by connecting the Law In Order networks to external facilities.
Where Law In Order has outsourced an Law In Order server or application to an external party (e.g., web applications), periodic security reviews of the outsourced environment must be performed to ensure the Law In Order security and availability of the Law In Order’s information and application.
All connections to the Law In Order networks must be authorised by the Global Head of Infrastructure or CIO, and reviewed. Additions or changes to information processing facilities and systems must also be reviewed and approved through the Law In Order Change Management process.
Documented operations procedures must be created maintained and made available to all users who need them and must be monitored to ensure they operate effectively. Such procedures include processing and storage capacity monitoring; the segregation of production environments from development, testing and staging environments (subject to their existence) and change management procedures to ensure only authorized changes are implemented; and, users’ approval and acceptance gained where appropriate. Proper segregation of duties or adequate compensating controls must exist in these procedures.
Similarly, specific procedures and controls need to be implemented to ensure the operating environment is being monitored effectively to ensure optimal and secure performance, ensure proper synchronization and to allow for tracking of both normal and malicious activity. Audit logs must be captured, maintained and secured to provide the ability to capture, react and prevent malicious activity. Proper controls must be implemented and documented to protect the integrity of software and information. Such controls include protection against malware, secured media exchange or disposition, and the availability of adequate backups for timely recovery from failures or disasters.
9. Access Control
To preserve the properties of integrity, confidentiality and availability, Law In Order information assets will be protected by logical and physical access control mechanisms commensurate with the value, sensitivity, consequences of loss or compromise, legal requirements and ease of recovery of these assets.
Information owners are responsible for determining who should have access to protected resources within their jurisdiction, and what those access privileges will be (e.g., read, update, write, delete). These access privileges must be granted in accordance with the user’s job responsibilities. In addition, Law in Order has developed an Access Control Policy to address user responsibilities as it relates to protection of its critical assets and covers areas such as password use, unattended user equipment of information, clear desk and clear screen approaches.
The Access Control Policy was also established to include topics such as user registration, privilege management, network service management, user authentication, network segregation, network connection and routing control, diagnostic port and configuration port protection, limitation of connection time and timeout as well as sensitive system segregation.
In addition, Law In Order has Remote Access Policy which governs mobile computing and telecommuting aspects of securing Law In Order information assets.
10. Information Systems Acquisition, Development and Maintenance
Software applications developed or acquired need to provide efficient, secure solutions to process information supporting Law In Order business needs. Many Law In Order business units are dependent on these applications, and it is essential the data processed by these applications be accurate. The software performing these activities must be protected from unauthorised access or tampering.
Security requirements and controls must reflect the business value of the information involved, and the potential business damage that might result from a failure or absence of security measures.
Law In Order is committed applying information protection at levels proportional to the level of confidentiality of the information it stores, processes, transmits and transports. Law In Order mandates that proper application of cryptography shall be used to secure its confidential communications and information carried beyond its secure perimeter, to secure connections from beyond this perimeter, and to secure its online business.
Strong encryption must be used to ensure data confidentiality, integrity, and authenticity. It must provide a means for non-repudiation in the case of security events. Cryptographic controls must be used in accordance with in-country use,import and export encryption legislation as it applies to both tangible and intangible products.
11. Information Security Incident Management
To ensure that adequate security measures are built into all Law In Order information systems, all security requirements, including the need for rollback arrangements, must be identified during the requirements phase of a development or system integration project and justified, agreed to and documented as part of the overall business case for an Law In Order information system. To ensure this activity is performed, the Head of Information Security and/or information security personnel must be involved in the System Development Lifecycle from the requirements definition phase, through to implementation and eventual application retirement.
To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
It is Law In Order’s policy that anyone who detects a security incident must report it to the Law In Order’s Leadership Team, their immediate supervisor, or other functional management authority as soon as practical. The Head of Information Security invokes a Security Incident Procedure which informs the appropriate Law In Order parties of the incident. The CIO and Global Head of Infrastructure responds to and investigates detected attacks occurring against Law in Order information assets. The goal of the incident handling process is to minimize the impact and duration of security incidents that occur at Law In Order. Security Incident investigation outcomes will be used as lessons learned and be applied through information security policy and procedure revisions (if applicable) to prevent re-occurrence.
12. Business Continuity
As part of ensuring business operations, Law In Order business units, especially those rendering information systems related services, must implement appropriate controls to counteract interruptions in business operations and to protect critical business processes from the effects of a significant business disruption to ensure their timely resumption.
The management team is responsible for identifying events that can cause interruptions to business processes, along with the probability and impact of such interruptions. The business continuity plan will help assist in identifying the consequences for and aid in determining that an appropriate response is taken. The Leadership Team must develop procedures to maintain or restore operations and ensure availability of information at the required level and in the required timeframes following interruption to, or failure of, critical business processes. Regular testing of all Business Continuity Plans and Procedures needs to be instituted in the Business Continuity process and will need to be aligned with overall Law In Order Business Continuity requirements and overarching information security needs as defined by the Information Security Program.
Law In Order management, staff, and contracted third parties must avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements. Managers are responsible to ensure that all information security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards.
Managers must assure that important records are being protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual, and business requirements. Managers must develop procedures to ensure compliance with legislative, regulatory, and contractual intellectual property rights (IPR).