1. The Information Security Policy sets out the basis for ExpertFlow (EF) in protecting the confidentiality, integrity, and availability of its data, for classifying and handling confidential information, and for dealing with breaches of this Policy. 
   
2. The Information Security Management System (ISMS) stipulated by ISO 27001 requires a comprehensive Information Security Policy document covering all areas of Information Security and given the prevalence of automated information handling techniques.

3. The structure of this Information Security Policy follows that of ISO/IEC 27001 to provide for easy correlation between the standard’s requirements and associated EF policy statements. Find our certificate here.

Purpose

4.   The management of Information Security is the reasonable selection and effective implementation of appropriate controls to protect critical organization information assets.  Controls and management processes, coupled with the subsequent monitoring of their appropriateness and effectiveness, form the primary elements of the Information Security programme.  The three goals of Information Security include:
   
   • Confidentiality
   • Integrity
   • Availability

5.   The employees shall not communicate to any entity, person or any other source any information known to them by reason of their official position that they know or ought to have known has not been made public, except as appropriate in the normal course of their duties or by authorization of the Top Management.

6. This Policy sets out the basis for the protection of information, facilitating security management decisions, and directing those objectives which establish, promote, and ensure best Information Security controls and management within the EF working environment.

Scope

7. This Policy states broad management principles guiding the Information Security programme in place within EF. This Policy applies to all physical areas under the control of EF.  Where other specific functional policies set more stringent requirements, they take precedence in those functional areas. This Information Security Policy shall be reviewed by the top management at regular intervals to ensure its continuing suitability, adequacy, and effectiveness.

8. Information security standards and information security related policies are subordinate to this Policy and provide more specific detail on implementation of this Information Security Policy.

​​Objectives 

9.   Establish the direction on and commitment to Information Security and ensure it is communicated, applied, and complied with throughout the organization.  Further, to develop and implement Information Security architecture, to protect information assets from loss or misuse, and to mitigate the risk of financial, productivity, and reputation loss to EF.

10.   The Information Security Policy consists of a principal declaration, which sets out the position on Information Security and defines security principles upon which this Policy is formed, followed by supporting Policy Statements that expand upon those principles.

Principles 

11.   EF recognizes that data and information (whether its own, or that entrusted to its care) are core to its ability to fulfill its mission.

12. EF is fully committed to protecting information and the environments in which information is processed, transmitted and stored, consistent with the following security principles:
    • Best practices in Information Security
    • The value or level of sensitivity
    • All applicable laws, policies, statutes, regulations, and contractual obligations

13. All EF staff and other authorized individuals or entities are responsible for maintaining appropriate control over information in their care and for bringing any potential threats to the confidentiality, integrity, or availability of that information to the attention of the management. Appropriate training and awareness programs will be available to support and reinforce this responsibility.

14. The following Policy Statements, structured on the ISO/IEC 27001 standard, support the Principal Declaration and define the compliance requirements of Information Security Policy management. The Statements address the following areas:
    
    • Asset Management
    • Human Resources Security 
    • Physical and Environmental Security 
    • Communications and Operations Management
    • Access Control 
    • Information Security Risk Management
    • Compliance

15.   Adherence to both the Policy and the related Information Security standards is mandatory for all staff and other authorized individuals and entities, to be incorporated within relevant working procedures.

16. The Quality Assurance & Information Security department undertake periodic monitoring and will conduct periodic audits of EF departments to confirm compliance with this Policy and related standards.

Asset Management

17.  To achieve and maintain appropriate protection and control of EF information assets and to ensure that responsibility and accountability for this protection and control is properly vested in designated information custodians. To ensure appropriate handling procedures are applied to important information assets.

Responsibility for Assets

18.  All assets shall be clearly identified and an inventory of all important information-related assets drawn up and maintained for information security purposes.

    Such important information-related assets for protection may include, but are not limited to:

    • Information: databases and data files, contracts and agreements, system documentation, user manuals, operational or support procedures, audit trails, and archived information
    • Software assets: application software, system software, development & QA tools, and utilities
    • Physical assets: computer equipment, communication equipment, removable media, and other equipment 
    • Services: computing and communications services, general utilities, e.g. heating, lighting, power, and air-conditioning

19.  All information and assets associated with information systems shall be owned by a designated unit of EF. The designated owner shall approve the responsibility for controlling the custody, production, development, maintenance, use and security of the assets; Routine tasks may be delegated, e.g. to a custodian looking after the asset on a regular basis, but the responsibility remains with the owner shall:

• • Ensure that information and assets associated with information systems under their control are appropriately classified
  • Periodically review access restrictions and classifications, taking into account applicable access policies

20.   Rules and standards for the acceptable use of information and assets associated with information systems shall be identified, documented and implemented.

Information Classification

21. Information shall be classified or categorized in terms of its value, legal requirements, sensitivity, and criticality to the EF.

22.   Appropriate procedures for labeling and handling sensitive information are developed and implemented.

Human Resources Information Security

23. EF ensures that staff and other authorized individuals or entities understand their responsibilities and to reduce the risk of theft, fraud or misuse of facilities. Candidates for employment and all other authorized individuals are adequately screened and detailed reference checks conducted, especially for sensitive jobs. Information security responsibilities are addressed prior to employment, in job descriptions and in the terms and conditions of EF Employment Agreement.

Prior to Employment 

24. Security roles and responsibilities of all staff and other authorized individuals or entities of EF information assets shall be defined and documented in appropriate terms and conditions prior to employment or contract finalization, reflecting the requirements of this Policy.

25. Verification of critical information, including academic qualifications, employment history and detailed reference checks on all candidates for employment, contractors, and third party users shall be carried out in accordance with relevant policies and procedures, and proportional to EF’s requirements, the classification of the information to be accessed, and the perceived risks. Reference checks are taken into account all relevant privacy, protection of personal data and/or employment based established policies and procedures that include:
    
    
    • Availability of satisfactory references
    • A check (for completeness and accuracy) of the candidates CV
    • Confirmation of claimed academic and professional qualifications
    • An independent identity check
    • More detailed checks as appropriate

During Employment

26. All staff and other authorized individuals or entities using EF information assets shall apply security measures in accordance with all relevant EF regulations, rules, policies and procedures.   All HR data, files and records are deemed sensitive and confidential.  EF shall ensure that all staff and other authorized individuals or entities:
    • Are properly briefed on their Information Security roles and responsibilities prior to be granted access to sensitive information or information systems.
    • Are provided with sufficient guidelines outlining the information security expectations for their role within EF.

27.  All EF staff and, where relevant, other authorized individuals or entities, shall receive appropriate training and regular updates on Information Security-related policies and procedures as relevant to their function.

28. Any required disciplinary procedure resulting from a serious breach of Information Security assets or protocols shall be conducted in accordance with the relevant provisions of EF Staff Regulations and Rules and employment agreements.

Staff Separation, Reassignment, and Termination

29. Responsibilities for performing employment separation, reassignment, and termination is clearly defined and assigned.

30. Staff and other authorized individuals or entities must return all EF assets in their possession upon separation from employment agreement.  The separation process shall formalize the return of all previously issued information assets.

31. The access rights of all staff and other authorized individuals or entities to information and information systems will be removed or altered as appropriate upon separation or termination of their employment agreement.  Any deviations from this requirement can occur only with the CEO/COO’s consent

Physical and Environmental Security

32. To ensure that EF premises, work areas, and information assets are adequately protected against identified risks to information assets.  Critical or sensitive information systems are housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls.

Information Assets 

33. All staff and other authorized individuals or entities shall ensure that documents containing sensitive information are secured when not in use.

34. Sensitive information assets shall not be removed from EF premises without proper authorization.

Work Areas

35. Security perimeters (barriers such as walls, card-controlled entry gates and doors, and manned reception desks) are used to protect areas that contain information and information systems.   

Equipment

36. Information systems are protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.  Power and telecommunications cabling carrying data or supporting information services are protected from interception or damage.

37. Information systems are protected from power failures and other disruptions caused by failures in supporting utilities.

38. Information systems are properly maintained to ensure continued availability and integrity. Only authorized maintenance staff performs maintenance, and adequate records of all maintenance are kept.  Where appropriate, information is cleared from storage equipment before maintenance is performed.

39. Information systems and equipment containing storage media is checked to ensure any sensitive data or licensed software has been removed or securely destroyed prior to disposal.

40. Information systems and equipment shall not be removed from EF premises without proper authorization.

Operational Procedures and Responsibilities

41. Formal documented procedures are established, maintained, and made available for all activities involving information processing and communication facilities.

42. Changes to information systems and applications are subject to change management control. Change management procedure is developed with appropriate documentation to demonstrate compliance.

43. Appropriate duties and responsibilities are implemented to the extent possible to reduce the possibility that any individual can compromise an application, a policy, a procedure or activity, or to perform unauthorized or unintentional modifications to, or to misuse any information assets.

Third Party Service Delivery Management

44. Service and delivery levels as well as security controls provided by third-party providers involved in supporting EF information processing or telecommunication services are monitored to ensure that services are implemented, operated, and maintained in accordance with contractual obligations.

45. Changes in the provision of third-party services are closely managed, taking into account the criticality of the information systems and processes involved and the re-assessment of all relevant risks.

System Planning and Acceptance

46. Acceptance criteria for new or upgraded information systems are established, and suitable tests of the system(s) are carried out during development and prior to acceptance.

47. Existing information system resources are monitored and adjusted as necessary, and projections made of future capacity requirements, to ensure continued performance at the required levels.

Protection against Malicious and Mobile Code

48. Detective, preventive, and corrective controls, as well as appropriate user awareness procedures are implemented to protect against malicious code.

49. Where the use of mobile code is authorized, the configuration ensures that the authorized mobile code operates according to a clearly defined security policy.

Backup

50. Appropriate backup arrangements, including annual testing is implemented and maintained to protect information and software and to ensure all critical information assets and processes can be recovered if required for any reason.

Network Security Management

51. Computer and communication networks are adequately managed and controlled, in order to be protected from threats, and to maintain security for systems and applications using the network, including information in transit.

52. Security features, service levels, and management requirements of all network services, both internal and outsourced, is be identified and included in all services agreements.

Storage Media Handling

53. Procedure is established for the management of removable storage media, including procedure for the safe and secure disposal of storage media when no longer required.

54. Procedure is established for the handling and storage of information to protect against unauthorized disclosure or misuse.
    

Monitoring

55. Procedure for monitoring use of information systems is established and the results of the monitoring activities are reviewed on regular intervals.

Information Exchange Procedures

External Parties

56. External parties, in this policy, include customers, partners, contractors and legal authorities. To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties, the following conditions apply:
    
    
    • The risks to the organization’s information and information processing facilities from business processes involving external parties are identified and appropriate controls implemented before granting access or sharing information with such entities.
    • Agreements with third parties involving accessing, processing, communicating or managing the organization’s information or information processing facilities, or adding products or services to information processing facilities cover all relevant security requirements.

(Please refer to the Expertflow’s Data Protection and Privacy Policy on our website)

57. There shall be no exchange of sensitive EF information with a third party without authorization and appropriate controls in place to protect the information from unauthorized disclosure.  Agreements are established for the exchange of information between EF and external parties.  

Electronic Commerce and Business Information Systems 

58. Information associated with the interconnection of business information systems is protected to prevent misuse or corruption. Information involved in electronic commerce passing over public networks is protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification.

59. Information involved in on-line transactions is protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. The integrity of information provided on publicly available system is protected to prevent unauthorized modification.

Business Requirement for Access Control

60. To ensure appropriate restrictions on access to information, adequate access control is applied to the information assets to ensure access is available only to current members of staff (or other authorized individuals or entities) who require it in the course of their official duties and that the rights of user access take proper account of the type and level of sensitivity of the information concerned.

Information System Access Control

61. EF information systems, networks, services, operating software, and applications shall be configured ensure that appropriate access control and authorization mechanisms are implemented, functional, and effective.

62. The use of utility programs that might be capable of overriding system or other access controls are restricted and tightly controlled.

Information Security in Networks 

63. Automatic equipment identification is used to authenticate connections from equipment if it is important that the communications can only be initiated from specific equipment.

64. Physical and logical access to diagnostic and configuration ports are controlled.

65. Groups of information services, users and information systems are segregated on networks.  For shared networks, especially those extending across EF’s boundaries, the capability of users to connect to the network are restricted to EF business purposes on a need-to-know basis.

66. Routing controls are implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the applications.

67. Access to operating systems is controlled by a secure log-on procedure.  All users have a unique user ID for their personal use only and a suitable authentication technique used to authenticate users.

68. Sensitive systems have a dedicated (isolated) computing environment.

69. A formal policy/procedure is developed and implemented for tele-working activities and appropriate security measures are adopted to protect against the risks of using mobile computing and communication facilities.     

Information Systems Acquisition, Development and Maintenance

70. Objective: To ensure information systems (e.g. applications, infrastructures, services, etc.) are designed with security as an integral component and placed with all system-specific security requirements, fully understood and implemented.

Security Requirements for Information Systems

71. New information systems and major system enhancements are approved by the CEO/COO before being acquired or developed. New information systems and system enhancements undertakes formal testing in a controlled environment with user acceptance testing (UAT) prior to their promotion to production status.  Formal testing includes appropriate testing of all security requirements to ensure both their correctness and adequacy. Tests are documented and test results are retained as information assets.

72. The security requirements of a new information system or system enhancement shall be identified and agreed upon prior to system development or procurement

73. Ownership responsibilities in respect to a new information system is agreed upon prior to its implementation.

74. Data validation controls are incorporated during development and maintenance of information systems to detect and prevent any corruption of information through input, processing, or output errors. Requirements for ensuring authenticity and protecting message integrity in applications are identified, and appropriate controls identified and implemented.

Cryptographic Controls

75. The implementation of cryptographic controls during acquisition, development, and maintenance of information systems are managed and incorporate appropriate key management procedures.

Security of System Files

76. Procedure is implemented to control the installation of software on operational systems. Specific responsibilities for the installation of software on operational systems is defined and allocated to appropriately trained authorized users only.  Operational software libraries are maintained and access to program source code is restricted.

 Security in Development and Support Processes 

77. All changes to information systems (and their source code) are formally authorized and controlled to prevent the potential compromise of business processing and security arrangements. Adequate and documented testing of all changes is performed.

78. Before operating systems are changed, business critical applications are viewed and tested to ensure there is no adverse impact on EF’s operations or security.

79. Outsourced software development is supervised and monitored by the appropriate EF Development team(s).

Technical Vulnerability Management

80. Timely information about technical vulnerabilities of information systems being used is obtained, exposure to such vulnerabilities evaluated, and appropriate measures taken to address associated risks in the appropriate departmental risk management program.

81. The information security department monitors and conducts periodic assessments of risk to processes, information, systems and facilities is performed in the light of changing threats and technical vulnerabilities. 
     

Information Security Incident Management

82. Objective: To ensure incidents affecting Information Security within EF are reported and responded to in a timely and effective manner to allow corrective action to be taken.

Reporting Information Security Incidents and Weaknesses 

83. All employees and other authorized individuals or entities are required to report suspected information security weaknesses or incidents to their concerned department managers or team leads.

Management of Information Security Incidents and Improvements

84. The Information Security team or process owners develop and maintain Information Security event reporting and escalation procedure to ensure that Information Security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.

85. In cases where an Information Security incident may involve either legal action or an internal investigation, the concerned process owner will consult with the information security manager along with the CEO/COO.

Business Continuity Management

86. Objective: To ensure that EF is equipped to react to disruptions of operations, and to ensure the timely resumption of critical business processes, following disasters or major failures of information systems.

(Please refer to the Expertflow’s Business Continuity Policy)

Compliance with Legal Requirements 

87. To ensure compliance with applicable legal, statutory, regulatory and contractual requirements, relevant procedure is implemented to guide EF personnel in terms of its obligations. Such obligations may be derived from, but are not limited to:
    • Decisions of EF policy-making authorities
    • Administrative directives

Compliance with Security Policies and Standards

88. EF managers/team leads ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and its related standards. Any non-compliance is documented along with appropriate reasons.

Information Security Audit Considerations

89. Audit requirements and activities involving checks on operational systems are carefully planned and agreed to in advance, to minimize the risk of disruptions to business processes.

90. Access to information systems audit tools are protected to prevent any possible misuse or compromise.

Roles & Responsibilities

91. Each department manager/team lead along with its team is responsible for its departmental Information Security within EF.

The Information Security & Risk Management Program

92. An Information Security Risk Management Program exists within each EF Department to ensure that there is a clear responsibility and accountability for the management of Information Security. The Information Security Risk Management Program provides the structure as well as an effective mechanism for coordinating and managing Information Security Risks within each department of EF.

93. In support of the Information Security Risk Management Program, each department manager/team lead exercises its duties in the following areas: 
    
    
    • Evaluate potential risks, determine the requirements and recommend suitable countermeasures to manage risks, in areas relating to the handling and protection of EF’s internal & external information;
    • Organize and coordinate the training of staff members in the areas of operations, information, communications, authorized users, facility, and information technology-related security procedures to be followed while working within EF.

94. The information security manager will also participate in the process of authorizing new information systems or applications to ensure that necessary security elements are considered and adequately addressed prior to the new system’s approval for use by EF.

95. The internal audits will provide the senior management of EF with a periodic independent assessment of the operation and effectiveness of the Information Security Management System.

96. There are regular Information Security Management Review Meetings consisting of department managers/team leads in EF who are a key to implementing the information security management system.

Compliance

97. Failure to comply with this Policy without obtaining a prior waiver shall be dealt with in accordance with EF Staff Regulations and Rules, or as appropriate, the staff contractual terms & agreements.

This policy is documented, implemented, maintained, and communicated at all levels within the organization and is also available to the interested parties for review.