ISMS Policy

Scope

  • The policy applies to all information created or received in IT Security C&T.
  • This policy forms the basis of IT Security C&T Information Security Management System (ISMS) of related policies and procedures.

Purpose

This policy aims to define the information security requirements based on best practices and relevant standards for managing information security incidents and threats within the IT Security C&T. The goal is to reduce risks and protect the organization from internal and external threats, with a focus on the core security objectives: confidentiality, integrity, and availability of information.

Additionally, this policy aims to ensure compliance with the ISO/IEC 27001 standard and to establish a robust security environment that supports the Commission’s operations, mission, and strategic objectives.

Policy Statement

To ensure that all of the IT Security C&T information assets, people, intellectual property, computer systems, data and equipment are adequately protected from all threats, whether internal or external, deliberate or accidental on a cost-effective basis.

  • IT Security C&T is protecting information assets from unauthorized access.
  • IT Security C&T commits to comply with regulatory and legislative requirements.
  • IT Security C&T commits to maintain a high level of competence for its staff.
  • Information security risks shall be managed based on IT Security C&T Risk Management Methodology.
  • IT Security C&T commits to continually improve its ISMS and information security
  • IT Security C&T will control and restrict access to information assets based on need-to-know and least privilege principles.
  • IT Security C&T will continually improve Information Security Posture by measuring the performance of the ISMS and suggest the needed actions to ensure effectiveness.
  • Treat and resolve security incidents and suspected vulnerabilities per their respective nature.

Responsibilities

  • All managers are directly responsible for implementing the ISMS Policy, and monitor the adherence of their staff.
  • Compliance with this Policy and all other supporting policies, standards, and procedures is mandatory for all staff and third-parties. Violation of this policy or any other IS policies, standards, or procedures will result in corrective action by management. Disciplinary action will be consistent with the severity of the violation, as determined by an investigation, and as deemed appropriate by management.