Information Security Policy

Introduction

Information security is a holistic discipline, meaning that its application, or lack thereof, affects all facets of an organization or enterprise. The goal of the my Information Security Program is to protect the Confidentiality, Integrity, and Availability of the data employed within the organization while providing value to the way we conduct business. Protection of the Confidentiality, Integrity, and Availability are basic principles of information security, and can be defined as:

  • Confidentiality – Ensuring that information is accessible only to those entities that are authorized to have access, many times enforced by the classic “need to know” principle.
  • Integrity – Protecting the accuracy and completeness of information and the methods that are used to process and manage it.
  • Availability – Ensuring that information assets (information, systems, facilities, networks, and computers) are accessible and usable when needed by an authorized entity.

I have recognized that my business information is a critical asset and as such my ability to manage, control, and protect this asset will have a direct and significant impact on my future success. 

This document establishes the framework from which other information security policies may be developed to ensure that the enterprise can efficiently and effectively manage, control and protect my business information assets and those information assets entrusted to me by my stakeholders, partners, customers and other third parties.

My Information Security Program is built around the information contained within this policy and my supporting policies.

Purpose

The purpose of the my Information Security Policy is to describe the actions and behaviors required to ensure that due care is taken to avoid inappropriate risks to me, my business partners, and my stakeholders.

Audience

My Information Security Policy applies equally to any individual, entity, or process that interacts with any of my Information Resource.

Responsibilities

Executive Management 

  • Ensure that an appropriate risk-based Information Security Program is implemented to protect the confidentiality, integrity, and availability of all Information Resources collected or maintained by or on behalf of me.
  • Ensure that information security processes are integrated with strategic and operational planning processes to secure the organization’s mission.
  • Ensure adequate information security financial and personnel resources are included in the budgeting and/or financial planning process.
  • Ensure that the Security Team is given the necessary authority to secure the Information Resources under their control within the scope of my Information Security Program.
  • Designate an Information Security Officer and delegate authority to that individual to ensure compliance with applicable information security requirements.
  • Ensure that the Information Security Officer, in coordination with the Information Security Committee, reports annually to Executive Management on the effectiveness of my Information Security Program.

All Employees, Contractors, and Other Third-Party Personnel

  • Understand their responsibilities for complying with my Information Security Program.
  • Formally sign off and agree to abide by all applicable policies, standards, and guidelines that have been established.
  • Use my Information Resources in compliance with all of my Information Security Policies.
  • Seek guidance from the Information Security Team for questions or issues related to information security.

Policy

  • I maintain and communicate an Information Security Program consisting of topic-specific policies, standards, procedures and guidelines that:
    • Serve to protect the Confidentiality, Integrity, and Availability of the Information Resources maintained within the organization using administrative, physical and technical controls.
    • Provide value to the way we conduct business and support institutional objectives.
  • The information security program is reviewed no less than annually or upon significant changes to the information security environment.

Waivers

Waivers from certain policy provisions may be sought following my Waiver Process.

Enforcement

Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties. 

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.

Version History

VersionModified DateApproved DateApproved ByReason/Comments
1.0.0Aug 2023 Franz FüßlDocument Origination