Information Security Policy
This Information Security policy establishes roles and responsibilities for developing, implementing, monitoring and enforcing an IT Security Program at BridgeApps and its Subsidiaries. This policy applies to all subsidiaries, agents, and or consultants at who work with BridgeApps or its Customers, systems or information.
Scope
This policy applies to all employees, contractors, and other authorized individuals who have access to the organization’s sensitive information and systems, including but not limited to data, networks, devices, and facilities.
Responsibility - Company Employees & Contractors
- > Read and comply with this policy.
- > Protect the confidentiality, integrity, and availability of Company electronic information.
- > When contracting with an external IT supplier, help ensure the supplier meets contractual obligations to protect and manage Company IT assets.
Responsibility - Suppliers
- > Read and comply with this policy.
- > Protect the confidentiality, integrity, and availability of Company electronic information.
- > Meet contractual obligations, with emphasis on data compliances, to protect and manage Customers of BridgeApps & its reputation
POLICY/PROCEDURE
IT Security Program
BridgeApps IT Security program shall:
- > Define roles, responsibilities, authorities, and accountabilities related to IT Security.
- > Approve services, solutions, and/or computer systems to enhance IT security.
- > Provide coordination, evaluation, communication, and awareness about information security.
- > BridgeApps IT Security shall establish and maintain a security awareness program.
Access Control
BridgeApps IT Security shall
- > Oversee and grant access to information resources for the Company based on a need, right, and time to know basis.
- > All employees, equipment, batch processes, agents, consultants, or any person whose services are obtained by a contract or through a temporary agency must use a unique identifier to access information resources.
- > Access entitlements must be approved by the department manager or data owner (unless granting pre-approved Job Function Profiles) prior to processing.
- > Access must be removed within a reasonable timeframe upon termination notification by a manager and/or HR.
- > Group accounts or sharing individual accounts for computer and network access is restricted. Group accounts should be used as infrequently as possible, and will be permitted on an exception basis. Group accounts must be approved by the application owner and the Director of Technology or their designee.
Generic and Non-expiring accounts
- > The Manager of Information Security or their designee must approve in writing all generic accounts and non-expiring passwords.
- > Business justification for generic accounts and non-expiring passwords must be obtained from the requestor and the justifications must be approved by the Manager of Information Security or their designee.
- > Controls must be in place to identify accounts with administration and enterprise domain administration access.
Responsibilities
- > Employees and contractors are responsible for protecting their passwords and maintaining the confidentiality of their login credentials.
> Employees and contractors are responsible for using secure networks and devices when accessing the organization’s sensitive information and systems.
> Employees and contractors are responsible for reporting any security incidents or suspected incidents to the appropriate authorities within the organization.
> Employees and contractors must follow all security procedures and policies as outlined in this policy and any additional guidelines provided by the organization.
Access control
The organization will use strong passwords and two-factor authentication to control access to its sensitive information and systems.
Access to sensitive information and systems will be granted on a need-to-know basis and will be regularly reviewed to ensure that access is still necessary.
Data protection
The organization will encrypt sensitive data in transit and at rest.
The organization will regularly back up data to ensure that it can be recovered in the event of a disaster or data loss.
The organization will implement security controls to prevent data breaches, such as firewalls and antivirus software.
Network security
The organization will install and regularly update firewalls and antivirus software to protect its networks and devices.
The organization will regularly patch and update its systems to ensure that they are secure.
Physical security
The organization will secure its facilities and control access to data centers.
The organization will implement security measures to protect against theft and tampering of its physical assets.
Incident response
In the event of a security incident, the organization will follow established procedures for reporting, investigating, and addressing the incident.
The organization will take corrective actions as needed to prevent future incidents and to protect the confidentiality, integrity, and availability of its sensitive information and systems.
Training and awareness
The organization will provide training to employees and contractors on information security best practices.
The organization will regularly remind employees and contractors of their responsibilities with respect to information security.
Review and updates
This policy will be reviewed and updated on a regular basis to ensure that it reflects the current state of the organization’s information security posture.
Specialist to Build and Migrate into MicroServices
Leverage our expertise to get faster development churn, time to market and more importantly achieve agility. Reach out to us to find the art of the possible.