Information Security Policy - Home | VAT IT · • “Services” shall mean VAT and Tax Recovery...

2019 VAT IT-SP-012 Information Security Policy

VAT IT-SP-012 Revision 5 of 11

1. Scope & Application

• This policy applies to all VAT IT entities and its Employees.

• VAT IT shall take all reasonable steps to protect the Client Information that it receives and adopt

reasonable security measures depending on sensitivity of the Client Information.

2. Purpose VAT IT has adopted the Policy in order to:

• Establish and maintain the security of the Client Information that it receives;

• Ensure that the integrity of the Client Information is not compromised;

• Regulate the protection of all VAT IT information systems, applications and networks that

process or transmit or store Clients Information;

• Ensure that only authorized VAT IT Employees and personnel have access to the Client

Information.

3. Definitions For the purpose of this Information Security Policy, the below terms will have the following meanings:

• “Client/s” shall mean VAT IT’s client/s;

• “Client Information” shall mean any Information and/or Personal Data that VAT IT obtains or

receives from its Client/s and/or documentation containing information about its Client/s;

• “CTO” shall mean VAT IT’s Chief Technology Officer;

• “Employee/s” shall mean VAT IT employees;

• “Information” shall mean any content, data or other information transmitted to or from, or

stored on VAT IT’s information technology system;

• “Personal Data” shall mean information which identities a living individual;

• “Policy” shall mean this Information Security Policy;

• “Services” shall mean VAT and Tax Recovery Services provided by VAT IT;

• “SIRT” shall mean the Security Incident Response Team;

• “Technology Department” shall mean VAT IT’s Technology Department;

• “VAT IT” shall mean all VAT IT entities.

4. Legal requirements

• ISO 27001: 2013 – Annexure A

• POPI Act

• Directive 95/46/EC

• General Data Protection Regulation



5. VAT IT Associated documents

• None

6. Risk assessment reference

• VAT IT-RA-001 ISO 27001 Risk Assessment

• VAT IT-RA-002 ISO 27001 Confidential Risk Assessment

• VAT IT –STP-001 Strategic Plan

7. Responsibility

• All VAT IT entities and Employees

• Responsibilities for the ISMS are the following:

o CTO is responsible for ensuring that the ISMS is implemented and maintained according

to this Policy, and for ensuring all necessary resources are available

o CTO are responsible for operational coordination of the ISMS as well as for reporting

about the performance of the ISMS

o CTO must review the ISMS at least once a year or each time a significant change occurs,

and prepare minutes from that meeting. The purpose of the management review is to

establish the suitability, adequacy and effectiveness of the ISMS

o SIRT will implement information security training and awareness programs for

employees

o the protection of integrity, availability, and confidentiality of assets is the responsibility

of the owner of each asset

o all security incidents or weaknesses must be managed according to the Incident

Response Policy.

o SIRT will define which information related to information security will be communicated

to which interested party (both internal and external), by whom and when

o SIRT are responsible for adopting and implementing the Training and Awareness Plan,

which applies to all persons who have a role in information security management

8. Policy

8.1 Objectives and measurement

To ensure the continued suitability and effectiveness of information security within VAT IT, a number

of measurable objectives have been established. These objectives shall be monitored and reviewed

as part of the ongoing measurement and metrics activities, and the Management Review process.

These objectives include:

VAT IT will measure the fulfilment of all the objectives. The CTO is responsible for setting the method for measuring the achievement of the objectives – the measurement will be performed at least once a year and the SIRT will analyse and evaluate the measurement results and report them to CTO as input materials for the Management review.



Refer to: VAT IT –STP-001 Strategic Plan 8.2 Information security requirements

This Policy and the entire ISMS must be compliant with legal and regulatory requirements relevant

to the organization in the field of information security, as well as with contractual obligations.

A detailed list of all contractual and legal requirements is provided in the List of Legal, Regulatory

and Contractual Obligations.

8.3 Information security controls

The process of selecting the controls (safeguards) is defined in the Risk Assessment and Risk

Treatment Methodology.

The selected controls and their implementation status are listed in the Statement of Applicability.

8.4 Policy communication

SIRT has to ensure that all employees of VAT IT as well as appropriate external parties are familiar

with this Policy.

8.5 Support for ISMS implementation

Hereby the CTO declares that ISMS implementation and continual improvement will be supported

with adequate resources in order to achieve all objectives set in this Policy, as well as satisfy all

identified requirements.

8.6 Human Resources Security

Prior to employment

• VAT IT shall carry out criminal checks on all candidates for employment, contractors and third

party users. Those background checks must be carried out in accordance with ethical

standards and must be reasonable taking into account the business requirements and the

perceived security risks.

During employment

• VAT IT shall carry out information security awareness, education and training. VAT IT shall

ensure that all of its Employees and, where relevant, other personnel and third party users,

receive appropriate awareness training and regular updates on VAT IT policies and procedures,

as relevant for their job function.

• All Employees that are authorized to process and deal with the Client Information shall sign

indefinite Confidentiality Agreements and shall be made aware of their obligations contained

therein.



• VAT IT shall have a formal disciplinary process for its Employees who have committed a security

breach.

8.7 Physical Security of Client Information

VAT IT: Location

• VAT IT shall ensure that that security perimeters (barriers such as walls, card controlled entry

gates or manned reception desks) are used to protect areas that contain Client Information.

• VAT IT shall ensure that areas which house Client Information are protected by appropriate

entry controls to ensure that only authorised personnel are allowed access.

• VAT IT shall ensure its offices are equipped with alarm systems or have 24 hour security

presence.

• VAT IT shall put in place, where reasonable, physical protection against damage from fire, flood,

civil unrest, and other forms of natural or man-made disaster (where relevant and appropriate).

• VAT IT shall ensure that access points, such as delivery and loading areas where unauthorised

persons may enter the premises, are controlled and if possible, isolated from information

processing facilities.

• VAT IT and its Employees shall ensure all visitors to its offices are required to be signed in by a

member of staff and escorted at all times.

• Employees shall only make copies of Client Information, where necessary in order to provide

the Services. Such copies shall only be made in areas where card access is required.

• VAT IT and its Employees shall take all reasonable steps to ensure the security of Client

Information.

VAT IT: Equipment security

• VAT IT shall ensure that its servers are sited or protected to reduce the risks from environmental

threats and hazards as well as unauthorised access.

• VAT IT shall ensure that its equipment is protected from power failures and other disruptions

caused by failures in supporting utilities.

• VAT IT shall ensure that power and telecommunications cabling carrying data or supporting

information services are protected from interception or damage, and where third party

suppliers are used, business critical services have redundant access.

• VAT IT shall ensure that equipment is correctly maintained to ensure its continued availability

and integrity.



• VAT IT shall ensure that appropriate security is applied to off-site equipment taking into account

the different security risks of working off-site.

• VAT IT shall ensure that all items of equipment containing storage media are checked to ensure

that any Client Information has been removed and securely overwritten prior to disposal or re-

use.

• In case of an emergency, every user is requested to take their work allocated portable devices

home with them.

VAT IT: External Data Centre

• VAT IT’s servers are hosted at a secure shared external data centre.

• Access to the external data centre is protected by appropriate entry controls which ensure that

only authorised personnel are allowed access.

• The external data centre is equipped with alarm systems and has 24 hour security presence.

• VAT IT shall conduct random checks regarding the security of Client Information at the External

Data Centre.

• VAT IT shall ensure that the external data centre shall put in place, where reasonable, physical

protection against damage from fire, flood, civil unrest, and other forms of natural or man-made

disaster (where relevant and appropriate).

8.8 Virtual Security

• VAT IT’s systems on which any Client Information is stored, or which are used to access the

Client Information or perform the Services shall be located behind firewalls with all ports

blocked except those needed for specific VAT IT applications.

• VAT IT shall take such other measures as are reasonable to protect the Client Information,

including, without limitation, virus and malware scanning, regular patching of all software

within the environment, adequate processes for vulnerability patching.

• VAT IT will ensure that anti-virus and malware systems are installed on all systems and the

antivirus signatures are updated.

8.9 Asset Management

All items purchased will be recorded and maintained on a Fixed Asset Register by the

Technology Department. In order to manage the register accurately and efficiently, all

employees shall adhere to the following:



• Employees of VAT IT shall not remove IT assets supplied by the firm from company

premises, except under the following conditions:

• IT assets assigned to employees, which may include laptop or tablet computers

and Personal Digital Assistant (PDA) or Smartphone devices, may be removed

from for the following reasons only:

o Teleworking

o In the case of a disaster or fire drill

o Work that is outside of the office that is a part of an assigned position.

• Exceptions to this policy must be requested in writing and approved by their direct

Manager / Supervisor / the CTO. Exceptions shall include the business or technical

justification and the duration of the exception.

• Employees are responsible for safeguarding any IT assets they remove from the

building, including keeping these assets under their direct physical control whenever

possible, and physically securing the assets when they are not under the employee’s

direct physical control.

• Employees must immediately report the loss or theft of any assigned IT assets to SIRT.

• Employees are not allowed to bring their own IT assets into work locations with the

purpose of connecting to the firm’s private network.

• In general, connection of personal IT assets to networks provided by the firm for guest

or public access is not allowed.

8.10 Transfer of Information

• VAT IT shall ensure the careful and regulated handling of external data carriers.

• VAT IT shall secure the electronic transfer of Client Information.

• VAT IT shall use a virtual private network (VPN) when connecting remotely to any internal

system.

8.11 Access

• Access to Client Information will be restricted to authorised Employees who have a bona fide

business need to access the aforementioned information.

• To ensure authorised user access and to prevent unauthorised access to information systems

VAT IT shall:

o implement formal user registration and de-registration procedures for granting and

revoking access to all information systems and services;



o restrict and control the allocation and use of privileges;

o monitor passwords;

o review users’ access rights at regular intervals.

• In order to prevent unauthorised access to operating systems, VAT IT shall:

o control access to operating systems by a secure log-on procedure;

o ensure that all users have a unique identifier (user ID) for their personal use only, and a

suitable authentication technique must be chosen to substantiate the claimed identity of

a user;

o ensure that interactive systems for managing passwords are in place and that passwords

are in accordance with VAT IT’s Password Protection Policy;

o ensure that inactive sessions shut down after a defined period of inactivity;

o use restrictions on connection times to provide additional security for high-risk

applications;

o implement a clear desk policy for papers and removable storage media and a clear screen

policy for information processing facilities as well as monitor the implementation of such

policies.

o ensure that all mobile computing equipment such as but not limited to laptops, mobile

phones and tablets containing Client Information do not contain Client Information

unless the CTO’s approval has been obtained or such information is encrypted and are

password protected.

8.12 Remote Access

• Any remote access to VAT IT’s network by its Employees shall be by way of two-factor

authentication.

• Any remote access tools used by VAT IT to access Client systems which house Client Information

shall meet the following requirements:

o The Employee using the tool must authenticate using unique log in;

o The Employee activity must be logged;

o There shall be a certificate based authentication on all server-server-links; and

o There shall be a digitally signed installer for any end point software.

• Upon completion of the Services, VAT IT shall disable or remove any access to the extent the

Client has not or is unable to remove such access.

• VAT IT shall not transfer or copy any Client Information to VAT IT’s systems or any system that

is not the subject of the Services, unless necessary to perform the Services.



• VAT IT shall not add any information, software tools or other technologies to its Clients’

information technology systems without its Clients’ advance consent, and shall remove such

information or tools completely upon completion of the Services.

8.13 Wireless Connectivity

• Wireless connectivity shall only be used if required for business reasons.

• VAT IT shall put into practice, WPA2 - enterprise, or a superseding standard and must not use

WEP.

• Guest Access

o Guests shall be allowed to access only a ring fenced dedicated guest wireless network.

• Staff access

o Staff will be required to authenticate with both user name and password when

connecting to the general wireless network.

8.14 Third Party Services

• In order to implement and maintain the appropriate level of information security and service

delivery in accordance with third party service delivery agreements, VAT IT shall monitor and

review the third party services.

8.15 Communications & Operations Management

• VAT IT shall manage and control its networks so that they are reasonably protected from threats

and shall maintain security for its systems and applications using that network. VAT IT shall

ensure that all network equipment will be located in physically secure access controlled

environments.

• VAT IT shall produce and keep for an agreed period audit logs recording user activities,

exceptions, and information security events to assist in future investigations and access control

monitoring.

•

• VAT IT shall establish procedures for monitoring use of information processing facilities and VAT

IT must review regularly the results of the monitoring activities.

• VAT IT must log all system administrator and system operator activities.

• VAT IT shall log and analyse all faults and take appropriate action.

8.16 Correct Processing in Applications



• In order to prevent errors, loss, unauthorised modification or misuse of Client Information

in applications VAT IT shall:

o validate data input to applications;

o ensure validation checks are incorporated into applications;

o validate data output from an application.

8.17 Software

• Only software authorized by VAT IT shall be installed on all systems.

• VAT IT shall conduct audits to ensure that no unauthorized software is installed on systems.

8.18 Incident Reports.

• The Technology Department shall notify the SIRT, within the time periods set out in VAT IT’s

Incident Response Policy, of any access to Client Information which is unauthorized.

• VAT IT shall record all actions undertaken during management of a security incident or

investigation which are high or medium severity as determined in VAT IT’s Incident Response

Policy.

• VAT IT shall, where requested and technically viable, provide its Clients with the ability to

monitor real time “Authorised User” actions provided that it will not result in the breach of any

law, contractual obligations, confidentiality duties, industrial arrangements or internal policies

of either party.

• VAT IT shall ensure that all Employees, contractors and third party users of information systems

and services note and report any observed or suspected security weaknesses in systems or

services.

• VAT IT shall ensure mechanisms are in place to enable the types, volumes, and costs of

information security incidents to be quantified and monitored.

• The Technology Department shall maintain adequate log files to perform an analysis of any

incident.

8.19 Inspection

• The Client may inspect VAT IT’s premises and records and information technology systems and

environments for compliance with this Policy, either on site, or remotely. VAT IT will cooperate

fully with any such inspection.



9. Review and Amendments

• This Policy may be amended by VAT IT from time to time.

• This Policy will be reviewed by VAT IT on an annual basis or as deemed appropriate based on

the changes in technology or regulatory requirements.

10. Approval, Implementation and Policy Owner

• This Policy has been approved by management.

• Management has authorized the CTO to ensure that this Policy is implemented.

• The owner of this policy is the CTO.

Information Security Policy - Home | VAT IT · • “Services” shall mean VAT and Tax Recovery...

Documents

Transcript of Information Security Policy - Home | VAT IT · • “Services” shall mean VAT and Tax Recovery...