As a data centre, the organization stores and provides tools to process information, which may include confidential information. As such, CAC shares a responsibility with its clients to help safeguard information and prevent its misuse.
The purpose and objective of the Security Policy is to set out a framework for the protection of information assets at CAC. It aims to:
The Security Policy is a high-level document and adopts several controls to protect information. The controls are delivered by additional policies, standards, processes, and procedures supported by training and tools.
This document outlines a framework for the management of Information Security at the CAC.
The Security Policy, standards, processes, and procedures apply to all staff and employees and contractual third parties who have access to the information systems or assets.
The Security Policy applies to all forms of information stored on CAC systems.
This policy is high-level and is supplemented by additional security policy documents which provide detailed policies and guidelines relating to specific security controls.
The CAC will undertake risk assessments to identify, quantify, and prioritize risks. Controls will be selected and implemented to mitigate the risks identified.
The following controls are in place at the CAC to reduce risk:
The security policy sets out an approach to managing information security.
The security policy is approved by management and is communicated to all staff and employees and contractual third parties.
The security requirements for CAC will be reviewed at least annually by management. Formal requests for changes will be raised for incorporation into the Security Policy, processes, and procedures.
This Policy and additional procedures help ensure that Information will be protected from a loss of:
All incidents of information security, actual or suspected, must be reported and will be investigated.
Specialist external advice will be drawn upon where necessary to maintain the Security Policy and to address new and emerging threats and standards.
Formal roles and responsibilities are defined and assigned as appropriate to protect the information security systems at the CAC.
All staff and contractors are required to comply with the policies and procedures assigned within.
All assets including data, information, software, computer and communications equipment, service utilities and people will be appropriately protected.
Owners will be assigned, and they will be responsible for the maintenance and protection of their assets.
Appropriate policies will be communicated to all employees, contractors and third parties to ensure that they understand their responsibilities.
Security responsibilities will be included in job descriptions and in terms and conditions of employment.
Regular background verification checks are carried out on all CAC’s employees.
Information security education and training are made available to all staff and employees.
Secure areas will be protected by well-defined perimeters with appropriate security barriers and entry controls. Staff are assigned physical access only as required.
Critical and sensitive information is housed in a secure area, and physically protected from unauthorized access, damage, and interference from environmental threats.
The data centre will have 24/7 on-call and third-party monitoring of intrusion and environmental systems or other emergencies.
The CAC will operate its information processing facilities securely.
Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities are established.
Appropriate operating procedures are put in place to ensure the protection of data in transit and at rest.
Segregation of duties and cross training is implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.
Access to sensitive information is controlled. Following the least privileged principle, access will be granted, or arrangements made for employees, partners, or suppliers according to their role, only to a minimal level required to allow them to carry out their duties.
A registration and deregistration process are implemented for access to all information systems and services.
The information security requirements are defined during the development of business requirements for new information systems or changes to existing information systems.
Controls to mitigate risks identified are implemented where appropriate.
Information security incidents and vulnerabilities associated with information systems must be communicated in a timely manner. Appropriate corrective action will be taken.
Formal incident reporting and escalation is implemented.
All employees will be made aware of the procedures for reporting the different types of security incidents or vulnerabilities that might impact the security of the CAC’s assets.
The CAC will put in place arrangements to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
A business continuity management process will be implemented to minimize the impact on the CAC and recover from loss of information assets. Critical business processes will be identified.
Business impact analysis will be undertaken of the consequences of disasters, security failures, loss of service, and lack of service availability.
The CAC will abide by any law, statutory, regulatory, or contractual obligations affecting its information systems.
The design, operation, use and management of information systems will comply with any statutory, regulatory, and contractual security requirements.