Corporate Policy on Information SecurityPurposeThe purpose of this document is to establish corporate policy for the protection of information assets and delineate responsibilities for implementation of the policy. ScopeThis policy applies to Corporation Name corporate operations as well as all subsidiary operations. This policy is the umbrella policy for implementation across the corporation; other policies may clarify or further detail this policy.ReferencesCorporate Code of Ethics,Corporate Employee HandbookCorporate Insider Trading PolicySarbanes-Oxley Act of 2002, Public Company Accountability and Investor Protection Act, especially Section 4041996 US Economic and Protection of Proprietary Information Act1990 United Kingdom Computer Misuse ActCorporate PolicyThe corporation adheres to Generally Accepted Accounting Principles (GAAP), and as a publicly traded company, also adheres to the Sarbanes-Oxley Act (SOX) related regulations and commensurate controls. The company is committed to integrity in the reporting to shareholders and the prevention of insider trading. The corporation is committed to protecting the privacy of personnel related information. The company strives for individual accountability with information assets. Information Security ConcernsTo protect the information assets in accordance with the corporate policy, the following classes of information assets are identified.FinancialFinancial Information Asset information pertains to the Annual Report for the corporation, including (but not limited to) Stock and Financial Data, Balance Sheet, Income, Cash Flow, Audit Report, and Internal Control Report.Intellectual PropertyIntellectual Property Information Assets includes Patents, Copyrights, and Company Confidential (e.g., Trade Secrets, Trademarks) information. The 1996 US Economic and Protection of Proprietary Information Act requires protections “commensurate” with the value of the information in order to be afforded protection under this law.Personnel InformationInformation about employees is collected and maintained to evaluate employee performance, provide compensation, comply with state and federal regulations,and track benefits. In addition, personnel information may be gathered as necessary to resolve any harassment or discrimination complaints. The corporation is committed to protecting the privacy and integrity of Personnel Information in accordance with applicable laws and regulations.Plans and Procedures for Personal Security of StaffPlans and procedures exist for protecting personnel both within the company facilities and entering or leaving the premises of the facilities. While these are often closely related to Physical Security, they are a distinct information asset requiring protection. Plans are developed to protect the personnel while at the same time protecting other information assets.Plans and Procedures for Physical Security of PropertyPlans and procedures exist for protecting the physical security of companyproperty, including Guard schedules, video monitoring, badge procedures, building and room access, and personnel inspections. Many physical assets have an information asset aspect as well (e.g., a report [physical] detailing sales figures [financial]).Responsibilities1. Board of Directors The Board of Directors will establish a Review Committee for quarterly reporting on Financial Information and status of associated policies. This committee will provide a quarterly report in accordance with Sarbanes-Oxley and GAAP requirements.2. Chief Executive OfficerThe Chief Executive Officer is responsible for Corporate Information Security Policy implementation and review as well as oversight of the quarterly report to Board of Directors.3. Chief Financial OfficerThe Chief Financial Officer is responsible for identifying the Financial Information Assets that must have confidentiality, integrity (both data and process), and availability protections. The identified list of assets will be coordinated with the Chief Information Officer and the Family of Businesses Subsidiary Officers.4. Chief Information OfficerThe Chief Information Officer reports to the Chief Executive Officer and is responsible for: Coordination of all information protection plans across the corporation; Coordination and Management of Information Security implementations across the corporation;Development and implementation of security protection for common corporate information services and facilities;Development and implementation of corporate level Disaster Recovery and Business Continuity plans, and review of Subsidiary Disaster Recovery and Business Continuity plans;Continual monitoring for Information Security incidents, incident response coordination, and incident recovery throughout the corporation;Coordination of information security audits across the corporation (including support for Sarbanes-Oxley audits). 5. Subsidiary Managing OfficerEach Subsidiary Managing Officer is responsible for implementing information security policies within their company. The Officer is responsible for coordinating with the Chief Financial Officer to identify which Financial Information Assets are reported to the corporation that require protections, as well as identifying company specific financial data requiring protection. The Officer will coordinate with the Chief Information Officer to ensure appropriate protections are identified and implemented on common corporate services (e.g. mainframe environment, networking). Additionally, the Officer will consultwith the Chief Information Officer to ensure sufficient protections are implemented by the Subsidiary.6. General CounselThe General Counsel will ensure that all agreements with Employees, Sales Agents, Consultants, and Vendors address the responsibilities for protection of Information Assets. Additionally, the General Counsel will participate as needed in resolution of information security incidents. 7. Human ResourcesThe Vice President, Human Resources is responsible for tracking the status of all agreements with Employees, Sales Agents, Consultants, and Vendors. While implementation may be delegated to Subsidiary officers, coordination shall be maintainedat the corporate level. In addition, the Vice President, Human Resources will coordinate with the General Counsel and the Chief Information Officer to resolve incident outcomes. Awareness training for Employees, Sales Agents, Consultants, and Vendors
View Full Document
Unlocking...