OBJECTIVE
This Information Security Policy ensures CRI Group’s Business Continuity and minimizes business damage by preventing and minimizing the impact of security incidents. In deploying the Information Security Management System (ISMS), which is compliant with ISO 27001:2013 as well as with applicable legal and regulatory requirements like Data privacy law DIFC Law No. 1 of 2007 and General Data Protection Regulation 2016/679 and PDPA 2012 Singapore by protecting and limiting the access to Information Assets to only those with authorized access, ensuring business continuity and implementing controls to prevent and minimize the impact of security incidents. The Top Management aims to protect CRI Group’s Information Assets from all threats, whether internal or external, deliberate or accidental to mitigate the risks of incidents to an acceptable.
POLICY
CRI Group’s Information Security Policy ensures that:
- Confidentiality, Integrity and Availability (CIA) of information shall be ensured for all data.
- Data classification shall be based on the CIA value and fall within Confidential, Restricted, Protected or Public category.
- Information shall be protected against unauthorized access and handled as per classification scheme.
- Availability of the information shall be made specific to legitimate business purpose.
- Information security awareness training shall be conducted for all ‘employees’ (company staff members and third parties) to inform them of information security requirements like data protection, data classification, access control and general threats. Incidents such as information security breaches by third-parties, misuse of networks, data, applications, computer systems and mobile devices shall be detected and responded promptly. All breaches of information security, actual or suspected, will be reported to GISO and investigated by Information Security Committee.
- Ethical, industry best practice and regulatory and legislative requirements shall be met.
- Employees shall be required to provide commitment and adhere to Information Security Management Policy.
- Suitable reporting channels shall be available for employees to report incidents without fear of retaliation.
- Information retention shall be ensured as per applicable contractual and regulatory requirements.
- CRI Group shall continually improve the effectiveness of ISMS.
- Non compliance to Information Security Policy may result in Disciplinary Action, including and up to termination.
MEASUREMENT
- All applicable controls, as well as compliance to Information Security Policy will audited at least once every 3 years.
- Business continuity will be tested annually.
- Information Security training and awareness will be provided to employees at induction and periodically.
- Access to IT systems that store or process data and designated secure areas will be reviewed at least once every 90 days.
- Risk Assessment will be conducted at least once every year or in the event of incident or change in system.
IMPLEMENTATION
Information takes many forms and includes data stored on computers, transmitted across networks, printed out or written on paper, sent by fax, stored on USB, spoken over call or in conversation. The GISO has direct responsibility for maintaining Information Security Policy and providing advice and guidance on its implementation. Guidelines on implementation of this Policy is available in Information Security Management Policy. It is the responsibility of all employees and third parties working with CRI Group to comply with the Information Security Policy at all times and report weaknesses or incidents that contravene or may contravene policy to the GISO. The management is directly responsible for implementing Information Security Policy, providing resources, supporting procedures within their business areas, and for adherence to the policy by their staff members.