đź“„
Content Library
  • Uncanny Software
  • Blog Posts
    • Using 1Password to share local secrets
    • How I Maintain OSS Projects
    • A Style Guide For HTML & CSS
    • The Reddit blackout is a lesson in risk management
  • Developer Documentation
    • Balena Push
    • Card Dealer
    • A Guide to Story Point Estimation
    • Guidelines for Translating Your Project using i18next
  • InfoSec Policies
    • Access Control Policy
    • Information Classification Policy
    • Password Management Policy
    • Physical Security Policy
    • Business Continuity Policy
    • Information Security Policy
    • Data Classification Standard
    • System Change Management Policy
    • Vendor Management Policy
    • Removable Media
    • Mobile Device Policy
    • Vulnerability Scanning Policy
    • Media Disposal Policy
    • System Hardening Policy
    • Encryption Policy
    • Intellectual Property Policy
  • Management
    • finops
    • information-technology
    • Operations
    • People Management
    • Program Scaling
Powered by GitBook
On this page
  • Purpose
  • Scope
  • Policy
  • Program
  • Requirements
  • Enforcement
  • Exceptions
  • Responsibility Assignment
  • Management Responsibility
  • Policy Awareness
  • Policy Review
  • InfoSec Goals
  • Program Review and Maintenance
  • Other Requirements
  • Violations
  • References
  • Related Documents
  • Revision History
  1. InfoSec Policies

Information Security Policy

Purpose

This policy establishes the minimum requirements and responsibilities for protecting the confidentiality, integrity, and availability of Uncanny Software information, intellectual property and customer information (collectively “Uncanny Software information”).

Scope

This policy applies to all individuals with access to Uncanny Software information.

Policy

Program

Information Security Program - Uncanny Software must implement a comprehensive information security program that will secure Uncanny Software information in a manner commensurate with each asset’s value as established by risk assessment and mitigation measures.

Requirements

Information Security Policies - Policies must be implemented and enforced to assure the confidentiality, integrity, and availability of Uncanny Software information. The information security program must be documented through policies and standards.

Information Security Standards & Procedures – Standards and Procedures must be implemented and enforced.

Enforcement

Policy Sanctions – Uncanny Software must implement sanctions against employees and third parties who violate the policies.

Exceptions

Exceptions to Policies — Exceptions to information security policies are permissible only in those instances where the request has been approved by the Head of Information Security and/or the Chair of the Cyber Risk Committee (CRC).

Responsibility Assignment

Information Security Team Responsibilities - The Information Security team is responsible for establishing and maintaining company-wide information security policies, standards and procedures.

InfoSec Team (InfoSec) - An information security management committee composed of at least one executive member must be established. The objectives of that Committee are to be documented in a charter.

Information Security Resources – The InfoSec team must facilitate the allocation of sufficient resources (internal and external) to adequately support information security program objectives.

Clear Assignment of Control Accountability - Uncanny Software management must clearly assign and document accountability for every internal control at Uncanny Software. This accountability must include sufficient transparency so that top management will be kept informed about the effectiveness and efficiency of these same internal controls.

Management Responsibility

Information security is a management responsibility, and decision-making for information security must not be delegated. While the Information Security team plays an important role in helping to make sure that controls are designed properly, functioning properly, and adhered to consistently, it is the responsibility of all Uncanny Software employees to protect Uncanny Software information.

Policy Awareness

Acknowledgment of Applicable Security Policies — All Uncanny Software employees must review and acknowledge acceptance of the Information Protection Manual at least once each calendar year.

Policy Review

Review of Information Security Policy Documents - Information security policy documents should be reviewed if necessary on an annual basis by the Information Security team and/or the InfoSec Team, or when a significant change occurs.

InfoSec Goals

The Information Security team shall establish annual and quarterly goals in furtherance of program objectives.

Program Review and Maintenance

Cyber Risk Assessment - The information security program must be reviewed against industry standards, and updated each calendar year as part of the Uncanny Software Annual InfoSec Risk Assessment.

Annual Program Updates - The InfoSec team must facilitate improvement initiatives associated with findings from the annual InfoSec Risk Assessment.

Other Requirements

Laws, Regulations and Contractual Requirements - The Information Security team must collaborate with the Legal team as needed to ensure that information security program components are continuously in compliance with applicable laws and regulations, and contractual obligations with Uncanny Software customers.

Violations

Any violation of this policy may result in disciplinary action, up to and including termination of employment. Uncanny Software reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Uncanny Software does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties. Accordingly, to the extent permitted by law, Uncanny Software reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy. Any employee or partner who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written or verbal complaint to his or her manager, any other manager or the Human Resources Department as soon as possible.

References

ISO/IEC 27001:2013 – A.6. Organization of information security

Related Documents

No documents listed

Revision History

Last updated 1 year ago

Written Security Policy Documents — Uncanny Software management must publish relevant information security policies and standards, and make them available to employees with a need-to-know. These policies can be found on

Gitbook
Document history via Github