Information Security Policy

2025.1

Reviewed: 12/02/2024
Updated: 12/02/2024

Purpose and Scope:

1. This information security policy defines the purpose, principles, objectives and basic rules for information security management.
2. This document also defines procedures to implement high level information security protections within IMPLAN, including definitions, procedures, responsibilities and performance measures (metrics and reporting mechanisms).
3. This policy applies to all users of information systems within IMPLAN. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by IMPLAN (hereinafter referred to as "users"). This policy must be made readily available to all users.

Background:

1. This policy defines the high level objectives and implementation instructions for IMPLAN's information security program. It includes IMPLAN's information security objectives and requirements; such objectives and requirements are to be referenced when setting detailed information security policy for other areas of IMPLAN. This policy also defines management roles and responsibilities for IMPLAN's Information Security Management System (ISMS). Finally, this policy references all security controls implemented within IMPLAN.
2. Within this document, the following definitions apply:
   a. Confidentiality: a characteristic of information or information systems in which such information or systems are only available to authorized entities.
   b. Integrity: a characteristic of information or information systems in which such information or systems may only be changed by authorized entities, and in an approved manner.
   c. Availability: a characteristic of information or information systems in which such information or systems can be accessed by authorized entities whenever needed.
   d. Information Security: the act of preserving the confidentiality, integrity, and availability of information and information systems.
   e. Information Security Management System (ISMS): the overall management process that includes the planning, implementation, maintenance, review, and improvement of information security.

Controls and Procedures

Policy:

1. Managing Information Security
   IMPLAN's main objectives for information security include the following:
   (a) IMPLAN's objectives for information security are in line with IMPLAN's business objectives, strategy, and plans.
   (b) Objectives for individual security controls or groups of controls are proposed by the IMPLAN Leadership, and others as appointed by the CEO; these security controls are approved by the CEO in accordance with the Risk Assessment Policy .
   (c) All objectives must be reviewed at least once per year.
   (d) The company will measure the fulfillment of all objectives. The measurement will be performed at least once per year. The results must be analyzed, evaluated, and reported to the management team.
2. Information Security Requirements
   (a) This policy and the entire information security program must be compliant with legal and regulatory requirements as well as with contractual obligations relevant to IMPLAN.
   (b) All employees, contractors, and other individuals subject to IMPLAN's information security policy must read and acknowledge all information security policies.
   (c) All employees, contractors, and other individuals subject to IMPLAN's information security policy must receive security awareness training no less frequently than annually
   (d) The process of selecting information security controls and safeguards for IMPLAN is defined in the Risk Assessment Policy.
   (e) IMPLAN prescribes guidelines for remote workers as part of the Remote Access Policy .
   (f) To verify the appropriateness of a cloud service provider, IMPLAN maintains a Data Center Security Policy (reference (c)).
   (g) Security requirements for the software development life cycle, including system development, acquisition and maintenance are defined in the Software Development Lifecycle Policy.
   (h) Security requirements for handling information security incidents are defined in the Security Incident Response Policy.
   (i) Disaster recovery and business continuity management policy is defined in the Disaster Recovery Policy.
   (j) Requirements for information system availability and redundancy are defined in the System Availability Policy.
   (k) Information Security awareness training and updates will be provided by the IT team periodically, or as demand requires.

Server Hardening Guidelines and Processes

Linux System Hardening:

1. Linux servers must use offical Amazon Web Services images.
2. Authentication must be done via SSH and keyfile.
3. Configuring 15-minute session inactivity timeouts for SSH sessions.
4. Configuring audit logging.
5. For systems not used in the production environment of the application, the installation of security patches must be automated.
6. Systems used in development of the application must have their patches applied in adherence to the System Change Policy.

Windows System Hardening:

Windows systems have their baseline security configuration applied via the combination of Group Policy settings and/or automation scripts. These baseline settings cover:

1. Joining the Windows Domain Controller and applying the Active Directory Group Policy configuration (for AD-managed systems only).
2. Ensuring that the machine is up-to-date with security patches and is configured to automatically apply patches, through the use of remote monitoring and management tools, in accordance with our policies.
3. Stopping and disabling any unnecessary OS services.
4. Configuring session inactivity timeouts.
5. Installing and configuring security protection agents such as anti-virus scanner.
6. Configuring the system clock to point to approved NTP servers and ensuring that modifying system time cannot be performed by unprivileged users.
7. Configuring audit logging.