Difference between revisions of "ISO:Information Security"
(Created page with "== Information Security == The Board of Directors and senior management of Hornbill Ltd (Hornbill) are committed to preserving the confidentiality, integrity and availability...") |
|||
| Line 10: | Line 10: | ||
Senior management, full and part time employees, sub-contractors, project consultants and any other external parties have, and will be made aware of, their responsibilities to preserve information security, to report security breaches, and to act in accordance with the requirements of the Hornbill’s ISMS. The consequences of security policy violations are described in Hornbill’s disciplinary processes contained with the HR policy. | Senior management, full and part time employees, sub-contractors, project consultants and any other external parties have, and will be made aware of, their responsibilities to preserve information security, to report security breaches, and to act in accordance with the requirements of the Hornbill’s ISMS. The consequences of security policy violations are described in Hornbill’s disciplinary processes contained with the HR policy. | ||
All will receive information security awareness training and specialist employees will receive appropriately focused training as required to meet Hornbill’s business, contractual, and regulatory requirements and obligations. | All will receive information security awareness training and specialist employees will receive appropriately focused training as required to meet Hornbill’s business, contractual, and regulatory requirements and obligations. | ||
| + | Minimisation | ||
| + | Only data that must be collected and stored SHOULD be collected and stored. The set of data should be the minimum required to achieve the goal. The Data security officer and team leads will be responsible for ensuring that any collected data is minimal. Any concerns or queries must be directed to the data security officers and a review of stored data conducted. All marketing exercises that involve the collection of data MUST be approved by the Marketing systems manager who will ensure that all data is the absolute minimum required, compliant with the required laws and 100% OptIn with express consent obtained. | ||
| + | |||
| + | Anonymisation | ||
| + | Any data collected and processed for analytical reasons must be anonymized. The level of anonymization is per node\instance or service. No lower than service is permitted. | ||
| + | Any data collected for security or Error detection (Log files) are not required to be anonymized before any processing but only the minimum used\made available for review, however should the same data be used for any other purposes then it must be scrubbed. | ||
| + | |||
| + | Statistics\Metrics\Measures | ||
| + | Any data collected and processed for Statistics\Monitoring\Metrics must be anonymised, The level of anonymization is per node\instance\service\API. No user should be identifiable. Only counts or other INT values may be collected | ||
Revision as of 16:16, 14 July 2022
Information Security
The Board of Directors and senior management of Hornbill Ltd (Hornbill) are committed to preserving the confidentiality, integrity and availability of all physical and information assets owned and controlled by the company. Hornbill is committed to implementing a Secure Operating Model structured and conformant with the internationally recognised standard for an Information Security Management System (ISMS) ISO/IEC 27001:2013.
Information is only accessible to those authorised to access it and therefore preventing both deliberate and accidental unauthorised access to Hornbill’s information and proprietary knowledge and its systems including networks, websites, and associated software applications.
This includes safeguarding the accuracy and completeness of information and processing methods, and therefore requires preventing deliberate or accidental, partial or complete, destruction or unauthorised modification, of either physical assets or electronic data. The information and associated assets should be accessible to authorised users when required, and therefore be physically secure. Internal and external networks must be resilient and Hornbill must be able to detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems and information.
Senior management, full and part time employees, sub-contractors, project consultants and any other external parties have, and will be made aware of, their responsibilities to preserve information security, to report security breaches, and to act in accordance with the requirements of the Hornbill’s ISMS. The consequences of security policy violations are described in Hornbill’s disciplinary processes contained with the HR policy. All will receive information security awareness training and specialist employees will receive appropriately focused training as required to meet Hornbill’s business, contractual, and regulatory requirements and obligations. Minimisation Only data that must be collected and stored SHOULD be collected and stored. The set of data should be the minimum required to achieve the goal. The Data security officer and team leads will be responsible for ensuring that any collected data is minimal. Any concerns or queries must be directed to the data security officers and a review of stored data conducted. All marketing exercises that involve the collection of data MUST be approved by the Marketing systems manager who will ensure that all data is the absolute minimum required, compliant with the required laws and 100% OptIn with express consent obtained.
Anonymisation Any data collected and processed for analytical reasons must be anonymized. The level of anonymization is per node\instance or service. No lower than service is permitted. Any data collected for security or Error detection (Log files) are not required to be anonymized before any processing but only the minimum used\made available for review, however should the same data be used for any other purposes then it must be scrubbed.
Statistics\Metrics\Measures Any data collected and processed for Statistics\Monitoring\Metrics must be anonymised, The level of anonymization is per node\instance\service\API. No user should be identifiable. Only counts or other INT values may be collected