ISMS Policy

Information Security Management System – Information Security Policy

Foreword

1. Scope

2. Introduction

3. Roles and Responsibilities

• Review and approve this policy.
• At a high-level, oversee the structure of the ISMS.
• Ensure that information security objectives are compatible with the organization’s strategic direction.
• At a high level, assign the roles and responsibilities for developing, implementing and maintaining the ISMS.
• Ensure that there are sufficient resources to develop, implement and maintain a security program.
• Evaluate the various risk management approaches used to manage security risks.
• Review security incidents that have, or could have had, a significant operational impact on critical data or systems; or any security incidents that may have a significant negative impact on IFDS or its clients.
• Review significant security concerns arising from internal or external audits, regulatory or threat landscape, and review responses to those concerns to ensure areas of potential risk are addressed.
• Where necessary, report security-related incidents or risks to the Board of Directors, the Executive Committee, and/or the Audit Committee.
• Provide leadership with respect to information security awareness, education, and training.

• Defining and updating security controls that are consistent with industry best practice and enable IFDS to operate both securely and effectively.
• Providing advice and guidance on the implementation of security controls.
• Assessing and managing risks within the environment, including risks associated with third parties.

• Review the ISMS (and associated metrics) on a regular basis, and where appropriate, recommend opportunities for improvement.
• Ensure that the impact of security controls are considered against business objectives and priorities.
• Review internal and external issues that affect either the ISMS or the threat landscape.
• Review the results of security assessments and audits, and where necessary, provide feedback on remediation activities.
• Where required, review the status of remediation activities related to audit findings, client assessments, security assessments, penetration & vulnerability testing, and third-party vendor assessments.
• Regularly review information security incidents, and where possible, identify areas for improvement to prevent similar incidents in the future.
• Approve or deny all security exceptions.
• Review and approve security sub-policies and standards.
• Escalate significant security concerns to the RMC.

• Direct reports have appropriate, authorized access to information and information systems, or have their access revoked when no longer required.
• Direct reports use information resources only for approved business purposes.
• Direct reports complete their required information security training.
• Direct reports are held accountable when they fail to execute their security responsibilities.
• Their business processes comply with all relevant security controls.

• Understanding and complying with this policy and other applicable ISMS policies or mandatory supporting documents.
• Asking for clarification from their Manager or Information Security when they are unclear about a security-related responsibility.
• Immediately reporting all real or suspected security incidents.
• Completing all security-related training within the required timeframes.

4. Objectives

• Continually strengthen internal controls to protect the confidentiality, integrity and availability of information owned, created, stored and/or processed by IFDS on behalf of its clients, affiliates, partners and employees, as well as IT assets owned or leased by IFDS.
• Effectively manage information security-related risks within the environment.
• Identify and respond to security incidents in a manner that minimizes impact on confidentiality, integrity, and availability of IFDS’ information and IT assets.
• Ensure that all employees and third-party resources understand and assume their security responsibilities.
• Enhance client, affiliate, stakeholder, market perception and confidence through demonstrable security controls that protect business investments and opportunities.
• Ensure compliance with information security-related regulatory and legal obligations.

5. Security Policy

• Define information security controls (which may consist of administrative, technical and physical controls) that align with business requirements, industry best practice, and legal, regulatory and contractual requirements.
• Regularly review information security controls to ensure compliance, suitability, and effectiveness.
• Continually identify and assess information security risks, and implement controls for the treatment and ongoing monitoring of such risks, including risks posed by third-party vendors.
• Classify and protect information according to its sensitivity.
• Control access to sensitive information and IT assets.
• Ensure that IFDS-owned applications are developed securely.
• Ensure that all IT assets (e.g., hardware, network, and endpoints) used by IFDS to create, access, use, or store information is secured.
• Establish a process to detect, respond to, and learn from security incidents.
• Regularly review, update and test business continuity plans to ensure that they address information security requirements.
• Provide information security education and training to all employees annually, in addition to ongoing awareness activities provided throughout the year; and ensure that third parties perform information security education and training that is equivalent to IFDS’ information security education and training.
• Ensure that all employees are aware of their information security responsibilities, and hold all employees individually responsible for unauthorized or inappropriate access, disclosure, disposal, modification, or use of information and IT assets owned or leased by IFDS.

6. Compliance

7. References and Supporting Documents