Skip to main content

INFORMATION SECURITY POLICY

Introduction

This policy is the apex document of the Information Security Management System which sets the direction for the Information Security Management System and has the sanction of the management of Simple Logic. 

Objective

Simple Logic is committed to ensure confidentiality, availability and integrity of data and information to all employees and customers. Simple Logic’s technical knowhow shall foster customer confidence by acting in accordance with established security standards.

Management Commitment

The management at Simple Logic is dedicated to the ongoing enhancement of our overall information security. This commitment entails the adoption of the latest security measures and practices, engaging and raising awareness among all employees, vendors, and partners, regularly evaluating the overall information security risk landscape, and periodically revising and updating Simple Logic’s security policies based on continuous risk assessment.

Scope

This policy is applicable to all individuals, encompassing Simple Logic employees and third parties engaged with Simple Logic. This policy covers the usage of all the company’s information technology and communication resources which include, but are not restricted to:

  • All hardware associated with computing, encompassing desktop personal computers (PCs), laptops, workstations, mobile devices, wireless computing devices, telecommunications equipment, networks, virtual LANs, databases, printers, servers, shared computers, and the entire interconnected network and hardware infrastructure.
  • All software including purchased or licensed business software applications, company-written applications, employee or vendor/supplier-written applications, computer operating systems, firmware, and any other software residing on company equipment or company’s cloud space.
  • All intellectual property and other data stored on company equipment or company’s cloud space.
  • All of the above are included whether they are owned or leased by the company or are under the company’s possession, custody, or control.

Policy

It is the policy of Simple Logic to secure and protect its various information systems and assets in such a way that the following important criteria are met:

  • Availability: All Information Systems including hardware, communication networks, software programs and the data they hold will be available to all those users who need the systems at all times they are needed. 
  • Confidentiality: No data or information will be disclosed to any person within or outside the organization, other than the persons who are authorized to use that data.
  • Data Integrity: No data / information / programs will be allowed to be modified by anyone without proper authority and authorizations. This will ensure the accuracy and completeness of information and processing methods.  No data will be modified, added, edited or deleted except by users or programs that are authorized to do so and, in a manner, as approved or designed.
  • All legislative and regulatory requirements relating to information security shall be met.
  • Business continuity procedures and drills must be produced, maintained and tested.
  • Information security awareness training shall be made available to all employees.
  • All actual or suspected information security breaches shall be reported to Information Security Division (ISD) and shall be thoroughly investigated.
  • The Information Security Policy document, in conjunction with the control-specific Information Security Policies, defines the organization’s strategy for overseeing information security.
  • The policy outlines the organization’s high-level goals regarding information security, while the control-specific policies and their associated procedures offer the means by which the organization intends to attain these objectives.
  • Comprehensive policies that address various security domains are provided in separate documents. These policies form part of the control objective and shall be read in conjecture with this apex security policy.
  1. Asset Management Policy & Procedure
  2. Media Management Policy
  3. Identity and User Access Management Policy
  4. Backup & Restoration Policy & Procedure
  5. Acceptable Usage Policy
  6. IT Risk Management Methodology Procedure
  7. Network Management Policy
  8. Physical and Environmental Security Policy
  9. Vulnerability & Patch Management Policy
  10. Cloud Security Framework 
  11. IT Operation Security Policy
  12. Remote Working Policy
  13. System Acquisition & Development Policy
  14. Incident Management Policy including Cyber Incident
  15. Incident Management Procedure
  16. BCP & DR Plan
  17. Compliance Security Policy
  18. Third Party Security Policy
  19. Change Management Policy
  20. Human Resource Security Policy
  21. BYOD Policy & Procedure
  22. Endpoint Security Policy
  23. Database Administration Security Policy
  24. Storage Management Policy
  25. Server Management Policy
  26. Application Security Management Policy
  27. Cyber Crisis Management Policy
  28. Cyber Security Policy
  • This policy will be accessible to all Simple Logic employees. Employees are strongly encouraged to peruse the policies, comprehend their respective responsibilities, and actively contribute to upholding information security within the organization. This policy is considered proprietary and will not be disclosed to anyone except Simple Logic employees or authorized third parties collaborating with Simple Logic.

Information Security Division 

An Information Security Division (ISD) is formed to initiate and control the implementation of information security within the organization. The overall Information Security Division Structure is given below:

  • The Lead Cyber Security will be the convenor of this forum and will document the proceedings. 
  • The Information Security Department (ISD) will provide guidance and support to the various individuals responsible for implementing security measures, ensuring that security policies align with the organization’s business objectives.
  • The ISD will review through IS audit reports and other feedback mechanisms, the status of implementation and compliance with the policies. Additionally, the ISD will review all security incidents and the corresponding corrective actions taken.  
  • All members of the ISD will coordinate for implementation of the security controls.  
  • The Lead Cyber Security Officer will hold overall responsibility for executing and upholding the security policy. This individual will also provide guidance to IS team members and the IT Team regarding their security-related duties.  

Implementation

The Lead Cyber Security Officer is accountable for the upkeep of the security policy and for offering counsel and direction on its execution. It is the responsibility of all employees and 3rd parties working within the scope of this Information Security Management System to comply with security policy. All members of the management team bear direct responsibility for executing the security policy and reinforcing the associated procedures within their respective business domains, ensuring adherence by their team members.

Review, Evaluation and Measurement

The Lead Cyber Security Officer is tasked with overseeing the execution and verification of compliance with these policies. The ISD serves as both the owner and custodian of the policy and is responsible for updating its content. The ISD will conduct an annual evaluation of the Information Security Policy, along with any control-specific policies, or whenever a significant alteration occurs in the existing information technology landscape that affects policies and procedures. 

Disciplinary Process

The Information Security Policy must be enforced at all times. All Simple Logic employees must abide by this policy. There will be appropriate disciplinary action taken if the principles of this policy and procedures are intentionally broken or avoided.

Exception Handling

Any deviation in implementation of the Information Security Policies shall only be allowed upon approval from Information Security Division (ISD). The reason for deviation shall be presented to the ISD. All deviations shall be valid for a fixed term, with maximum term of 6 months. The same can be extended by upon approval from ISD.