Overview
Information is a critical company asset. Information is comparable with other assets in that there is a cost in obtaining it and a value in using it. However, unlike many other assets, the value of reliable and accurate information appreciates over time instead of depreciating. Shared information is a powerful tool and loss, or misuse can be costly, if not illegal. The intent of this Security policy is to protect the information assets of the organisation.
In addition, in this policy, the main objective followed by Dot Financial Inclusion technologies is to establish and maintain adequate and effective security measures for users, to ensure that the confidentiality, integrity and operational availability of information are not compromised. Sensitive information must therefore be protected from unauthorised disclosure, modification, access, use, destruction or delay in service.
Each user has a duty and responsibility to comply with the information protection policies and procedures described on this page.
1. Purpose
This Security Policy is aimed to define the security requirements for the proper and secure use of the Information Technology services in the Organization. Its goal is to protect the Organization and users to the maximum extent possible against security threats that could jeopardise their integrity, privacy, reputation and business outcomes. This policy informs Dot Financial Inclusion technologies staff and other persons authorised to use Dot Financial Inclusion technologies facilities of the principles governing the retention, use and disposal of information.
2. Scope
This policy applies to all employees of Dot Financial Inclusion technologies who use computer systems or work with documents or information that concerns customers, suppliers or any other partner for whom the organisation has collected information in the normal course of its business
3. Responsibility
The detailed items below shows the roles involved and their responsibilities in the enforcement of the policies.
Chief Information Security Officer:
Accountable for all aspects of the Organization’s information security.Responsible for the security of the IT infrastructure.
- Plan against security threats, vulnerabilities, and risks.
- Implement and maintain Security Policy documents.
- Ensure security training programs.
- Ensure IT infrastructure supports Security Policies.
- Respond to information security incidents.
- Help in disaster recovery plans.
Information Owners:
Help with the security requirements for their specific area.
- Determine the privileges and access rights to the resources within their areas.
IT Security Team:
- Implements and operates IT security.
- Implements the privileges and access rights to the resources.
- Supports Security Policies.
Users:
Meet Security Policies.
- Report any attempted security breaches.
4. Goals and Objectives followed
The goals and objectives followed by this policy are;
- Protect information from unauthorised access or misuse;
- Ensure the confidentiality of information;
- Maintain the integrity of information;
- Maintain the availability of information systems and information for service delivery;
- Comply with regulatory, contractual and legal requirements;
- Maintain physical, logical, environmental and communications security;
- Dispose of information in an appropriate and secure manner when it is no longer in use.
5. The Information We Collect
All users of Dot Financial Inclusion technologies information systems must be formally authorised by the company's security department. Authorised users will be in possession of unique user identities. Any password associated with a user identity must not be disclosed to any other person.
Authorised users shall take all necessary precautions to protect the company’s information in their personal possession. Confidential, personal or private information must not be copied or transported without consideration of
- the permission of the owner of the information;
- the risks associated with loss or falling into the wrong hands;
- how the information will be secured during transport to its destination.
6. Acceptable Use of Information System
User accounts on the company's computer systems must only be used for the company's business and must not be used for personal activities during working hours.
During breaks or mealtimes, limited personal use is permitted, but use must be legal, honest and decent while considering the rights and sensitivities of others.
- Users shall not purposely engage in activity with the intent to: harass other users; degrade the performance of the system; divert system resources to their own use; or gain access to company systems for which they do not have authorization.
- Users shall not attach unauthorised devices on their PCs or workstations unless they have received specific authorization from the employees' manager and/or the company IT designee.
- Users shall not download unauthorised software from the Internet onto their PCs or workstations.
Unauthorised use of the system may constitute a violation of the law, theft and may be punishable by law. Therefore, unauthorised use of the company's computer system and facilities may constitute grounds for civil or criminal prosecution.
7. IT Assets Policy
7.1. Purpose
The IT Assets Policy section defines the requirements for the proper and secure handling of all the IT assets in the Organization.
7.2. Scope
The policy applies to laptops, monitors, printers and other equipment, to applications and software, to anyone using those assets including internal users, temporary workers and visitors, and in general to any resource and capabilities involved in the provision of the IT services.
7.3. Policy Definitions
- IT assets must only be used in connection with the business activities they are assigned and/or authorised.
- All the IT assets must be classified into one of the categories in the Organization’s security categories; according to the current business function they are assigned to.
- Every user is responsible for the preservation and correct use of the IT assets they have been assigned.
- All the IT assets must be in locations with security access restrictions, environmental conditions and layout according to the security classification and technical specifications of the aforementioned assets.
- Active desktops and laptops must be secured if left unattended. Whenever possible, this policy should be automatically enforced.
- Access to assets is forbidden for non-authorized personnel. Granting access to the assets involved in the provision of a service must be done through the approved Service Request Management and Access Management processes.
- All personnel interacting with the IT assets must have the proper training.
- Users shall maintain the assets assigned to them clean and free of accidents or improper use. They shall not drink or eat near the equipment.
- Access to assets in the Organization's location must be restricted and properly authorized, including those accessed remotely. The company’s laptops and other equipment used at external locations must be periodically checked and maintained.
- The IT Technical Teams are solely responsible for maintaining and upgrading configurations. No other users are authorised to change or upgrade the configuration of the IT assets. That includes modifying hardware or installing software.
- Special care must be taken for protecting laptops, PDAs and other portable assets from being stolen. Be aware of extreme temperatures, magnetic fields and falls.
- When travelling by plane, portable equipment like laptops and PDAs must remain in possession of the user as hand luggage.
- Whenever possible, encryption and erasing technologies should be implemented in portable assets in case they were stolen.
- Losses, theft, damages, tampering or other incidents related to assets that compromise security must be reported as soon as possible to the Information Security Officer.
- Disposal of the assets must be done according to the specific procedures for the protection of the information. Assets storing confidential information must be physically destroyed in the presence of an Information Security Team member. Assets storing sensitive information must be completely erased in the presence of an Information Security Team member before disposing of it.
8. Access Control Policy
8.1. Purpose
The Access Control Policy section defines the requirements for the proper and secure control of access to IT services and infrastructure in the Organization.
8.2. Scope
This policy applies to all the users in the Organization, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
8.3. Policy Definitions
- Any system that handles valuable information must be protected with a password-based access control system.
- Any system that handles confidential information must be protected by a two-factor-based access control system.
- Discretionary access control list must be in place to control the access to resources for different groups of users.
- Mandatory access controls should be in place to regulate access by the process operating on behalf of users.
- Access to resources should be granted on a per-group basis rather than on a per-user basis.
- Access shall be granted under the principle of “less privilege”, i.e., each identity should receive the minimum rights and access to resources needed for them to be able to perform successfully their business functions.
- Whenever possible, access should be granted to centrally defined and centrally managed identities.
- Users should refrain from trying to tamper or evade the access control in order to gain greater access than they are assigned.
- Automatic controls, scan technologies and periodic revision procedures must be in place to detect any attempt made to circumvent controls.
9. Password Control Policy
9.1. Purpose
The Password Control Policy section defines the requirements for the proper and secure handling of passwords in the Organization.
9.2. Scope
This policy applies to all the users in the Organization, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
9.3. Policy Definitions
- Any system that handles valuable information must be protected with a password-based access control system.
- Every user must have a separate, private identity for accessing IT network services.
- Identities should be centrally created and managed. Single sign-on for accessing multiple services is encouraged.
- Each identity must have a strong, private, alphanumeric password to be able to access any service. They should be as least 8 characters long.
- Each regular user may use the same password for no more than 90 days and no less than 3 days. The same password may not be used again for at least one year.
- Passwords for some special identities will not expire. In those cases, the password must be at least 15 characters long.
- Use of administrative credentials for non-administrative work is discouraged. IT administrators must have two sets of credentials: one for administrative work and the other for common work.
- Sharing passwords is forbidden. They should not be revealed or exposed to public sight.
- Whenever a password is deemed compromised, it must be changed immediately.
- For critical applications, digital certificates and multiple-factor authentication using smart cards should be used whenever possible.
- Identities must be locked if password guessing is suspected on the account
10. Email Policy
10.1. Purpose
The Email Policy section defines the requirements for the proper and secure use of electronic mail in the Organization.
10.2. Scope
This policy applies to all the users in the Organization, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
10.3. Policy Definitions
- All the assigned email addresses, mailbox storage and transfer links must be used only for business purposes in the interest of the Organization. Occasional use of personal email addresses on the Internet for personal purposes may be permitted if in doing so there is no perceptible consumption in the Organization's system resources and the productivity of the work is not affected.
- Use of the Organization's resources for non-authorized advertising, external business, spam, political campaigns, and other uses unrelated to the Organization's business is strictly forbidden.
- In no way may the email resources be used to reveal confidential or sensitive information from the Organization outside the authorised recipients for this information.
- Using the email resources of the Organization for disseminating messages regarded as offensive, racist, obscene or in any way contrary to the law and ethics is absolutely discouraged.
- Use of the Organization's email resources is maintained only to the extent and for the time needed for performing the duties. When a user ceases his/her relationship with the company, the associated account must be deactivated according to established procedures for the lifecycle of the accounts.
- Users must have private identities to access their emails and individual storage resources, except for specific cases in which common usage may be deemed appropriate.
- Privacy is not guaranteed. When the strongest requirements for confidentiality, authenticity and integrity appear, the use of electronically signed messages is encouraged. However, only the Information Security Officer may approve the interception and disclosure of messages.
- Identities for accessing corporate email must be protected by strong passwords. The complexity and lifecycle of passwords are managed by the company’s procedures for managing identities. Sharing of passwords is discouraged. Users should not impersonate another user.
- Outbound messages from corporate users should have approved signatures at the foot of the message.
- Attachments must be limited in size according to the specific procedures of the Organization. Whenever possible, restrictions should be automatically enforced.
- Whenever possible, the use of Digital Rights technologies is encouraged for the protection of contents.
- Scanning technologies for viruses and malware must be in place in client PCs and servers to ensure maximum protection in the ongoing and outgoing email.
- Security incidents must be reported and handled as soon as possible according to the Incident Management and Information Security processes. Users should not try to respond by themselves to security attacks.
- Corporate mailbox content should be centrally stored in locations where the information can be backed up and managed according to company procedures. Purge, backup and restore must be managed according to the procedures set for the IT Continuity Management.
11. Internet Policy
11.1. Purpose
The Internet Policy section defines the requirements for proper and secure access to the Internet.
11.2. Scope
This policy applies to all the users in the Organization, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.
11.3. Policy Definitions
- Limited access to the Internet is permitted for all users.
- The use of Messenger service is permitted for business purposes.
- Access to pornographic sites, hacking sites, and other risky sites is strongly discouraged.
- Downloading is a privilege assigned to some users. It can be requested as a service.
- Internet access is mainly for business purposes. Limited personal navigation is permitted if in doing so there is no perceptible consumption of the Organization's system resources and the productivity of the work is not affected. Personal navigation is discouraged during working hours.
- Inbound and outbound traffic must be regulated using firewalls in the perimeter. A Back-to-back configuration is strongly recommended for firewalls.
- In accessing the Internet, users must behave in a way compatible with the prestige of the Organization. Attacks like denial of service, spam, fishing, fraud, hacking, distribution of questionable material, infraction of copyrights and others are strictly forbidden.
- Internet traffic should be monitored at firewalls. Any attack or abuse should be promptly reported to the Information Security Officer.
- Reasonable measures must be in place at servers, workstations and equipment for the detection and prevention of attacks and abuse. They include firewalls, intrusion detection and others.
12. Antivirus Policy
12.1. Purpose
The Antivirus Policy section defines the requirements for the proper implementation of antivirus and other forms of protection in the Organization.
12.2. Scope
This policy applies to servers, workstations and equipment in the Organization, including portable devices like laptops that may travel outside of the Organization's facilities. Some policies apply to external computers and devices accessing the resources of the Organization.
12.3. Policy Definitions
- All computers and devices with access to the Organization network must have an antivirus client installed, with real-time protection.
- All servers and workstations owned by the Organization or permanently in use in the Organization facilities must have an approved, centrally managed antivirus. That also
- includes travelling devices that regularly connect to the Organization network or that can be managed via secure channels through the Internet.
- Organization’s computers permanently working in another Organization’s network may be exempted from the previous rule if required by the Security Policies of the other Organization, provided those computers will be protected too.
- Traveling computers from the Organization that seldom connect to the Organization network may have installed an approved antivirus independently managed.
- All the installed antivirus must automatically update their virus definition. They must be monitored to ensure successful updating takes place.
- Visitors' computers and all computers that connect to the Organization’s network are required to stay “healthy”, i.e. with a valid, updated antivirus installed.
13. Information Classification Policy
13.1. Purpose
The Information Classification Policy section defines a framework for the classification of the information according to its importance and the risks involved. It is aimed at ensuring the appropriate integrity, confidentiality and availability of the Organization's information.
13.2. Scope
This policy applies to all the information created, owned or managed by the Organization, including those stored in electronic or magnetic forms and those printed on paper.
13.3. Policy Definitions
- Information owners must ensure the security of their information and the systems that support it.
- Information Security Management is responsible for ensuring the confidentiality, integrity and availability of the Organization’s assets, information, data and IT services.
- Any breach must be reported immediately to the Information Security Officer. If needed, the appropriate countermeasures must be activated to assess and control damages.
- Information in the Organization is classified according to its security impact. The current categories are: confidential, sensitive, shareable, public and private.
- Information defined as confidential has the highest level of security. Only a limited number of persons must have access to it. Management, access and responsibilities for confidential information must be handled with special procedures defined by Information Security Management.
- Information defined as sensitive must be handled by a greater number of persons. It is needed for the daily performing of job duties, but should not be shared outside of the scope needed for the performing of the related function.
- Information defined as shareable can be shared outside of the limits of the Organization, for those clients, organisations, regulators, etc. who acquire or should get access to it.
- Information defined as the public can be shared as public records, e.g. content published on the company’s public Web Site.
- Information deemed as private belongs to individuals who are responsible for the maintenance and backup.
- Information is classified jointly by the Information Security Officer and the Information Owner.
14. Remote Access Policy
14.1. Purpose
The Remote Access Policy section defines the requirements for secure remote access to the Organization’s internal resources.
14.2. Scope
This policy applies to the users and devices that need access to the Organization’s internal resources from remote locations.
14.3. Policy Definitions
- To gain access to the internal resources from remote locations, users must have the required authorization. Remote access for an employee, external user or partner can be requested only by the Manager responsible for the information and granted by Access Management.
- Only secure channels with mutual authentication between server and clients must be available for remote access. Both server and clients must receive mutually trusted certificates.
- Remote access to confidential information should not be allowed. The exception to this rule may only be authorised in cases where it is strictly needed.
- Users must not connect from public computers unless the access is for viewing public content.