Author: Danielle Johnsen (VP of Compliance)
Date: 5 April 2017
Version: 2.0
This document defines Digital Edge’s policy on Information Security and is based on the following principles.
- Maintaining confidentiality, integrity and availability of information.
- Handling information appropriately and according to its data classification.
- Preventing disruption to work of Digital Edge infrastructure, Digital Edge's clients and their infrastructures that lead to financial loss or loss of reputation to Digital Edge.
- Ensuring business continuity and minimizing business damage by managing and minimizing the impact of information security incidents.
Version history:
|
|
|
|
|---|---|---|
| 1.0 | March 27, 2017 | Initial policy |
| 2.0 | April 5, 2017 | Approved by ISO review board |
Introduction
The confidentiality, integrity and availability of information are of great importance to the operation of Digital Edge and its executives. Failure in any of these areas can result in disruption to the services that Digital Edge provides, as well as loss in confidence in the Digital Edge team by current and potential clients. The security of our information and other assets is therefore regarded as fundamental to the successful operation of Digital Edge.
Scope
Provision of Information Security for Help Desk, Support, Project Processing and Cloud Service Delivery Solutions to Commercial, Federal, Civilian, DoD and Intelligence Communities.
The selection of the risk reducing measures is documented in the Statement of Applicability (SOA) version 3.2 of 23 March 2017.
Policy Statements
These policy objectives are achieved through the implementation of our Information Security Policy, which includes security standards, procedures and guidelines developed in accordance with ISO 27001:2013. It is Digital Edge’s policy to:
- safeguard the accuracy and completeness of information and processing methods;
- ensure that authorized users have access to information and associated assets when required;
- ensure that information it manages shall be secured to protect against the consequences of breaches of confidentiality, failures of integrity or interruptions to the availability of that information;
- define an information classification scheme describing classes and how information of a particular class should be managed (stored, accessed, transmitted, shared, and disposed of);
- meet all information security requirements under appropriate regulations, legislation, organization policies and contractual obligations;
- address the security of all of our services and processes to ensure that risks are identified, and appropriate controls are implemented and documented;
- provide a secure working environment for staff and contractors at our sites;
- produce business continuity and incident response plans for strategic Digital Edge's infrastructure and its services, which will be maintained and tested on a regular basis;
- require all third parties working on our behalf to ensure that the confidentiality, integrity and availability requirements of all business systems are met;
- promote this policy and raise awareness of information security throughout Digital Edge's staff;
- provide appropriate information security training for our staff.
Responsibilities
Ultimate responsibility for the execution of this policy rests with the Chief Information Security Officer (CISO) of Digital Edge. The executives and heads of departments, assisted by the VP of Compliance, are responsible for the production and maintenance of Digital Edge's Security Policies, the controls to enforce the policies and the provision of advice and guidance on its implementation and maintenance.
All breaches of information security will be reported according to Digital Edge's Information Security Policies and Procedures and investigated by appropriate staff according to the Incident Response Plan.
It is the responsibility of all staff to adhere to this policy.
Digital Edge reserves the right to inspect any data stored on Digital Edge's infrastructure or telecommunication systems, or transmitted or received via Digital Edge’s networks, during the investigation of security incidents, or safeguarding against security threats.
Within this policy, the following individuals have the following responsibilities:
|
|
|
|---|---|
| Execution of this policy | CISO |
| Sponsor and Quality Assurance of this policy | VP of Compliance |
| Production, maintenance, control of this policies | VP of Compliance |
| Protection of Information Systems and assurance that security processes and controls have been carried out | VP of Operation Security |
| Initiation, coordination and investigation of potential breaches in policy | VP of Compliance |
| Ensuring staff have an awareness of and put appropriate controls in place to adhere to the policies | VP of Operation Security |
| Provide advice, guidance, training and support on information security. | CISO |
| Adherence to policy | All staff |
Review
This Information Security Policy will be reviewed annually or updated as necessary by the Compliance Team to ensure that it remains current in the light of relevant legislation, organizational procedures or contractual obligations. Changes will be agreed by the Digital Edge ISO Board, and authorization and quality assurance will be provided by the Digital Edge ISO Board.