Home /

Information Technology Security Policy

1. Purpose

This policy establishes the information security framework to protect the confidentiality, integrity, and availability of the organization’s information assets. It aligns with the organization’s existing IT Security Operations Policy and Cybersecurity Framework, ensuring compliance with ISO 27001 while integrating with broader cybersecurity initiatives.

This policy does not replace the organization’s existing IT Security Operations Policy or Cybersecurity Framework but rather provides additional governance, oversight and implementation details specific to ISO 27001 requirements. Where discrepancies exist, the overarching IT Security Operations Policy and Cybersecurity Framework will take precedence.

 

2. Scope

This policy applies to all employees, contractors, third parties, and systems that handle, process, store, or transmit the organization’s information assets. It complements the IT Security Operations Policy and Cybersecurity Framework, ensuring that ISO 27001 controls are implemented effectively.

 

3. Relationship with the IT Security Operations Policy & Cybersecurity Framework

  • The IT Security Operations Policy defines the organization’s overall security objectives, guiding principles, and governance model from IT operations point of view.
  • The Cybersecurity Framework (CF) provides a structured approach for managing cybersecurity risks across various domains and is owned by F&NL Group Risk Management.
  • This ISO 27001 Information Security Policy supports compliance by defining security controls that align with Annex A controls of ISO 27001 while ensuring alignment with existing policies.
  • For further guidance, refer to:
    • FN IT Security Operations Policy.pdf
    • F&N Cybersecurity Framework.pdf

 

4. Information Security Objectives

The organization is committed to:

  • Protecting sensitive information against unauthorized access, modification, and loss.
  • Ensuring compliance with legal, regulatory, and contractual security requirements.
  • Establishing a risk-based approach to information security management.
  • Implementing industry best practices for security controls, monitoring, and incident response.
  • Continuously improving security measures through regular assessments and reviews.

 

5. Roles and Responsibilities

Senior Management: Provide leadership, support, and resources to implement and maintain information security measures.

Information Security Officer (ISO): Oversee the development, implementation, and monitoring of security policies and procedures.

IT Department: Ensure the deployment of technical controls to safeguard information assets.

Employees: Comply with security policies, report security incidents, and safeguard sensitive information.

Third Parties: Adhere to contractual security requirements and ensure compliance with this policy.

 

6. Information Security Controls

The organization will implement security controls across administrative, technical, physical, operational, and compliance domains, as defined in supporting policies, standards, and procedures.

6.1 Administrative Controls

  • Define and enforce an Information Security Management System (ISMS).
  • Establish and maintain an Information Security Policy, Standards, and Procedures.
  • Conduct regular risk assessments and implement mitigation strategies.
  • Ensure security awareness training for all employees and third parties.
  • Establish an incident response framework for detecting and handling security incidents.

6.2 Technical Controls

  • Implement access controls, including Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA).
  • Encrypt sensitive data in transit and at rest using approved cryptographic methods.
  • Deploy firewalls, intrusion detection/prevention systems, and endpoint security solutions.
  • Monitor systems and networks for security threats and vulnerabilities.
  • Ensure regular patching and updates for IT infrastructure and applications.
  • Employees must adhere to the Clear Screen Policy by locking their computers when away from their desks.

For further guidance, refer to the Clear Desk and Clear Screen Policy.pdf

  • Automatic screen locking mechanisms should be enforced after a predefined period of inactivity.
  • All security controls outlined in this policy must be implemented in alignment with the Statement of Applicability (SoA) which contains detailed controls implemented. The selection, justification, and implementation of controls will be regularly reviewed to ensure continued relevance and effectiveness.

6.3 Physical & Environmental Controls

  • Restrict physical access to data centres, offices, and critical IT infrastructure.
  • Implement CCTV surveillance, visitor management, and secure entry procedures.
  • Ensure proper disposal and destruction of sensitive information.
  • Protect IT equipment from environmental hazards such as fire, water damage, and power failures.
  • The Clear Desk Policy requires employees to store all sensitive documents securely at the end of the workday.
  • Printed documents must not be left unattended in shared office spaces, meeting rooms, or printers.

6.4 Operational Controls

  • Establish secure software development lifecycle (SDLC) practices.
  • Maintain backup and disaster recovery plans to ensure business continuity.
  • Enforce change management and configuration management processes.
  • Define security requirements for third-party vendors and service providers.

6.5 Compliance & Legal Controls

  • Ensure compliance with applicable laws and regulations (e.g., GDPR, HIPAA, PCI-DSS).
  • Conduct regular security audits, assessments, and ISMS reviews.
  • Maintain security documentation, including risk registers and audit logs.
  • Enforce confidentiality agreements and legal contracts for data protection.

 

7. Policy Review & Continuous Improvement

This policy shall be reviewed annually and updated as necessary to align with emerging threats, technological advancements, and regulatory changes. Any updates will be communicated to all relevant stakeholders.

 

8. Enforcement & Disciplinary Actions

Non-compliance with this policy may result in disciplinary actions, including termination of employment or contractual agreements, legal consequences, or other necessary corrective measures, as per the Disciplinary framework

 

9. Related Documents (MLD)

Refer Master Document List for detailed listing of documents.