Information Security Management System – Information Security Policy
Information and information systems are critical to the efficient and effective operation of IFDS (International Financial Data Services)’ core business. As such, IFDS must strategically and tactically define operations to create, process, transmit, and store information (both electronic and paper format) in a manner that always ensures its protection. Therefore, information security cannot just be something that we do; it must be an organizational culture that is deeply embedded in all aspects of our business.
To protect the confidentiality, integrity, and availability of our information, the IFDS Senior Management Team has approved an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2013.
Senior Management is committed to the IFDS ISO/IEC 27001:2013 information security model and approves this document and supporting documents within the ISMS.
The Risk Management Committee and I, as Chief Security Officer, further endorse this Information Security Policy.
Dennis Gregoris Chief Security Officer
March 29, 2023
This policy applies to International Financial Data Services (Canada) Limited (“IFDS”). It does not apply to International Financial Data Services Limited globally unless otherwise stated.
This policy applies to all employees (full-time, part-time, temporary, and casual) of IFDS. Unless otherwise specified in contractual agreements, offshore development, transfer agency operations, and other third parties are out of scope and governed by local polices and specific agreements.
Where appropriate, this policy governs information throughout its lifecycle, as well as information technology (IT) assets owned or leased by IFDS including, but not limited to, networks, applications, servers, endpoints, removable media, telephony (including mobile devices and fax), and the buildings and processing facilities owned or leased by IFDS where such information and IT assets are located.
ISO/IEC 27001:2013 is the standard adopted by IFDS to govern its ISMS. This standard provides guidance to , manage, the risks of cybersecurity threats for the IT systems in scope. It is designed to ensure the implementation of adequate security controls that protect IFDS’ assets and give confidence to interested parties including regulators and customers.
The ISMS contains 114 controls in 14 groups: Information Security Policies, Organization of Information Security, Human Resources Security, Asset Management, Access Control, Cryptography, Physical and Environment Security, Operations Security, Communications Security, System Acquisition, Development and Maintenance, Supplier Relationships, Information Security Incident Management, Information Security Aspects of Business Continuity Management, and Compliance. Each ISMS domain contains control objectives stating what is to be achieved and one or more controls that can be applied to achieve those objectives.
As part of the ISMS, IFDS has established a framework of controls, policies and supporting documents, which it reviews annually.
3. Roles and Responsibilities
Risk Management Committee (RMC) includes members of the IFDS Leadership Team and is responsible for ensuring that a continuous risk management process is operating effectively at IFDS. The RMC will:
- Review and approve this policy.
- At a high-level, oversee the structure of the ISMS.
- Ensure that information security objectives are compatible with the organization’s strategic direction.
- At a high level, assign the roles and responsibilities for developing, implementing and maintaining the ISMS.
- Ensure that there are sufficient resources to develop, implement and maintain a security program.
- Evaluate the various risk management approaches used to manage security risks.
- Review security incidents that have, or could have had, a significant operational impact on critical data or systems; or any security incidents that may have a significant negative impact on IFDS or its clients.
- Review significant security concerns arising from internal or external audits, regulatory or threat landscape, and review responses to those concerns to ensure areas of potential risk are addressed.
- Where necessary, report security-related incidents or risks to the Board of Directors, the Executive Committee, and/or the Audit Committee.
- Provide leadership with respect to information security awareness, education, and training.
Chief Security Officer (CSO) is accountable for the development, implementation and maintenance of the ISMS and associated security programs designed to manage risk and ensure compliance to the ISO standard.
Director of Information Security is responsible for the development, implementation and maintenance of the ISMS and associated security programs designed to manage risk and ensure compliance to the ISO standard. This includes, but is not limited to:
Define and update security controls that are consistent with industry best practices and enable IFDS to operate both securely and effectively.
Provide advice and guidance on the implementation of security controls.
Assess and manage risks within the environment, including risks associated with third parties.
Report on the performance of the ISMS.
Security Committee (SC) is a cross-departmental forum responsible for reviewing security controls and initiatives to ensure that security risks remain within a tolerable level. The SC will:
Review the ISMS (and associated metrics) regularly, and where appropriate, recommend opportunities for improvement.
- Ensure that the impact of security controls are considered against business objectives and priorities.
- Review internal and external issues that affect either the ISMS or the threat landscape.
Review the results of security assessments and audits, and where necessary, provide feedback on remediation activities.
Where required, review the status of remediation activities related to audit findings, client assessments, security assessments, penetration & vulnerability testing, and third-party vendor assessments.
Regularly review information security incidents, and where possible, identify areas for improvement to prevent similar incidents in the future.
- Approve or deny all security exceptions.
- Review and approve security sub-policies and standards.
- Escalate significant security concerns to the RMC.
Compliance Officer is responsible for ensuring compliance with any law, statutory, regulatory, or contractual obligations.
All Managers are responsible to ensure:
- Direct reports have appropriate, authorized access to information and information systems, or have their access revoked when no longer required.
- Direct reports use information resources only for approved business purposes.
- Direct reports complete their required information security training.
- Direct reports are held accountable when they fail to execute their security responsibilities.
- Their business processes comply with all relevant security controls.
All Employees are responsible to:
Understand and comply with this policy and other applicable ISMS policies or mandatory supporting documents.
Ask for clarification from their Manager or Information Security when they are unclear about a security-related responsibility.
Immediately report all security incidents or suspicious activities.
Complete all security-related training within the required time limits.
Continually strengthen internal controls to protect the confidentiality, integrity and availability of information owned, created, stored and/or processed by IFDS as well as leased IT assets, on behalf of its clients, affiliates, partners, and employees.
Effectively manage information security-related risks within the environment.
Identify and respond to security incidents in a manner that minimizes impact on confidentiality, integrity, and availability of IFDS’ information and IT assets.
- Ensure that all employees and third-party resources understand and assume their security responsibilities.
- Enhance client, affiliate, stakeholder, market perception and confidence through demonstrable security controls that protect business investments and opportunities.
- Ensure compliance with information security-related regulatory and legal obligations.
5. Security Policy
IFDS’ core business relies heavily on information and information systems. These assets must be appropriately protected against threats to their confidentiality, integrity, and availability. To do so, IFDS will:
Define information security controls (which may consist of administrative, technical, and physical controls) that align with business requirements, industry best practice, and legal, regulatory, and contractual requirements.
Regularly review information security controls to ensure compliance, suitability, and effectiveness.
Continually identify and assess information security risks and implement controls for the treatment and monitoring of such risks, including risks posed by third party vendors.
Classify and protect information according to its sensitivity.
- Control access to sensitive information and IT assets.
- Ensure that IFDS-owned applications are developed securely.
Ensure that all IT assets (e.g., hardware, network, and endpoints) used by IFDS to create, access, use, or store information are secured.
Establish a process to detect, respond to, and learn from security incidents.
Regularly review, update and test business continuity plan to ensure information security requirements are properly addressed.
Provide information security education and training to all employees annually, in addition to ongoing awareness activities provided throughout the year; and ensure that third parties perform information security education and training that is equivalent to IFDS’ information security education and training.
Ensure that all employees are aware of their information security responsibilities and hold all employees individually responsible for unauthorized or inappropriate access, disclosure, disposal, modification, or use of information and IT assets owned or leased by IFDS.
6. Policy Violations
Failure to comply with this policy or any mandatory supporting policies may result in disciplinary action, up to and including termination of employment or contractual agreement. This includes IFDS’ Acceptable Usage Policy, Clean Desk Policy, and Confidentiality Agreement.