Information Security Policy Governance Standard

Scope

This Standard applies to all Employees and Third parties that handle, manage, store, or transmit the EClaims Group’s information.

This Standard applies throughout the EClaims Group as part of the Information Security Management System framework.

Roles in Information Security Management

CEO's responsibilities:

• Establish the directions, objectives, and principles for the assurance of information security within the EClaims Group

• Participate in Information Security Management System reviews.

Information Security Team responsibilities are:

• Lead the EClaims Group’s process for selecting the information security control measures consistent with the Information Security Management System and the EClaims Group’s risk management strategy

• Assign responsibilities for the selected information security control measures

• Review the information security control measures periodically and, when necessary, update the selection

• Define and disseminate the parameter values for the relevant information security controls, defined by the EClaims Group

• Acquire or develop and maintain the tools, templates, or checklists to support the information security control selection process and development of the system security plans

• Develop a EClaims Group wide continuous information security monitoring strategy

• Provide training on selected information security control measures

• Connect and communicate with the special interest groups, specialist security forums, and professional associations

• Contact and deal with the relevant authorities when needed

Information Asset and System Owners responsibilities are:

• Keep the Information Systems & Assets Register up to date

• Identify the classification level of the Information Systems & Assets

• Define and implement the appropriate information security control measures to ensure the confidentiality, integrity, and availability of the Information Systems and Assets

• Assess and monitor the information security control measures to ensure their compliance and report the instances of non-compliance

• Authorize access to those who have a business need for the Information System or Asset

• Ensure that access is removed from those who no longer have a business need for the Information System or Asset

• Complete the Information System and Asset management training

Employee responsibilities are:

• Protect the Information Systems and Assets from an unauthorized access and use

• Maintain confidentiality of authentication information and comply with the Access Control Policy

• Adhere to the information security control measures

• Report any weaknesses or new requirements for the current information system operations

• Complete the information security awareness trainings

Information Security Risk Management

• Information security risk management must identify risks associated with the loss of confidentiality, integrity, and availability for the Information Systems & Assets

• Information security risk assessment is conducted once per year or if there are significant changes in the EClaims Group activities or risk factors

• Identified information security risks must be registered in the Information Security Risk Register, including the identified risk owner

• Evaluated information security risks exceeding acceptable level must be managed and registered in the Information Security Risk Treatment Plan approved by the CEO's

• Information security risk management must be managed according to the Information Risk Management Standard.

Information Security in Development and Change Management

• Information security must be an integral part of the development processes in order to build secure services, applications, and software

• Information security in development must be ensured in accordance with the Secure Development Standard

• Changes must be controlled and managed to ensure integrity and stability of a system and to comply with the existing information security control procedures

• System changes must be managed in accordance with the Change Management Policy

• Risks associated with the system changes must be managed in accordance with the Information Risk Management Standard or the rapid risk assessment methodology provided by the Information Security Team

Work from Home

• Employees are allowed to work from home if appropriate information security control measures are taken to secure information

• Work from Home requirements are outlined in the Internal Work Rules

Mobile Device Management

Corporate Group owned mobile devices must be managed by the IT administrators and configured in accordance with the Information Security Requirements Standard.

Employees must:

• Use the EClaims Group’s secure connection to access the Information Systems and Assets while not working in the office

• Assure physical security of a mobile device owned by the EClaims Group

• Keep the configuration of a mobile device owned by EClaims Group unchanged

Employees may use their own mobile devices (BYOD) (e.g., mobile phones, tablets) to access noncritical Information Assets (e.g., Slack, EClaims Group’s email).

It is forbidden to access the Corporate Group’s Critical Information Systems or Assets with Employee’s own device.

The Corporate Group may use additional software security measures to control Employee’s own devices used for work, including but not limiting:

• Separation of private and business use environments

• Business data encryption

• Remote business data erasure

Employees must be trained to raise their awareness of the information security controls that must be implemented using the EClaims Group owned mobile devices and related to BYOD.

Information System & Asset Management

Information Systems and Assets associated with the Corporate Group’s information and information processing facilities must be identified and registered in the Information Systems & Assets Register.

Information System or Asset Owner is responsible for appropriate Information System or Asset management during the Information System or Asset life cycle.

Information System and Asset management must comply with the Information Asset Management Standard.

Information handling, classification, and use must be managed in accordance with the Information Management Policy.

Information Security Awareness

Information security awareness program must be established and regularly updated to ensure that employees and Third parties are aware of their responsibilities in information security.

At least once a year, Employees and Third Parties must complete an information security awareness training course to improve their resilience to information security threats.

Information Security Team is responsible for measuring the security awareness program success and its continuous improvement.

Access Control

• Access to Corporate Group’s Information Systems and Assets is granted to Employees and Third parties based on their business requirements, job function, responsibilities, and the need-to-know principle.

• Access provision, modification, and dismissal to an Information System or Asset must be registered in the Corporate Group’s ticketing system.

  Information Asset Owner has the final approval on access provisioning, modification, and dismissal.

• Privileged access rights, including local administrator privileges, must be provisioned only to complete the assigned job functions.

• On an annual basis, access must be reviewed by the Information System and Asset Owners. Discrepancies must be remediated accordingly.

• Created account names and passwords must comply with the Information Security Requirements Standard.

• Access control management must be managed in accordance with the Access Control Policy.

Cryptography Management

Cryptographic controls must protect the operational information on the appropriate level, based on risk assessment, considering the type, strength and quality of the encryption algorithm required.

Cryptography management must be done in accordance with the Encryption Policy.

Physical Security Management

• Security perimeters (i.e., barriers such as walls, card-controlled entry gates or manned reception desks) and physical security controls (i.e., locked, or manned doors during the business hours) must be used to protect the areas that contain information and information processing facilities

• Workplace equipment should be secured and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access

• Power and telecommunications cabling, carrying data or supporting information services, should be protected from interception or damage

• Equipment, information, or software should not be taken off-site without prior authorization

• Physical security must be managed in accordance with the Physical Security Standard.

Vulnerability Management

• Information Security Team must scan the Information Systems and Assets periodically for vulnerability identification.

• Vulnerabilities can be identified using either automatic or manual vulnerability identification tools.

• Information System and Asset Owners are responsible for managing the risks identified during the Vulnerability Management process.

• Vulnerability management must be done in accordance with the Vulnerability Management Process.

Information Security Incident Management

• Employees and Third parties must be trained on how to identify and escalate the information security incidents, weaknesses, vulnerabilities, or non-compliances.

• Information security incidents must be reported using the incident report form, via communication channels.

• Information security incidents must be managed in a consistent and effective manner and according to the Information Security Incident Response Standard.

Third-parties Management

• Information security requirements for mitigating the risks associated with the Third parties’ access to the Corporate Group’s systems and assets must be and documented in the agreements.

• The Agreements outlining the information security requirements used with the Third parties must be pre-defined and unified.

• Information Security Team should regularly review the agreed level of information security in the Third party agreements.

Network Access Control

• Corporate Group’s networks must be managed and controlled to protect information in information processing facilities.

• All network devices must be authenticated.

• Groups of information services, users, and network devices must be segregated on the Corporate Group network.

• Segregation can be done using either different physical networks or by using different logical networks.

• Information transfer security controls are defined in the Information Security Requirements Standard.

Information Security in Business Continuity Management

• Information security must be embedded in the Business Continuity Management and Disaster Recovery Management processes.

• Information Security Team members must be involved in the Business Continuity and Disaster Recovery teams as consultants, to assure that the information security controls that are implemented are operating or, otherwise, should be re-established to maintain an acceptable level of information security.

• Mission Critical Information System and Asset Owners must prepare Disaster Recovery Plans according to the Disaster Recovery Plan Standard.

Compliance and Audit

• An independent information security audit must be conducted periodically, at least once a year, or if there are significant changes in the Corporate Group.

• All identified nonconformities and remediation actions must be documented and managed according to the Information Security Management System Improvement Standard.

Disciplinary Process

A formal sanction process, ensuring correct and fair treatment, may be initiated for Employees and Third Parties failing to comply with this Standard and Related Policies.

CISO must be informed within 24 hours when a formal sanction process is initiated, identifying the individual sanctioned and the reason for the sanction.

Violations of this Standard and Related Policies may result in suspension or loss of the violator’s use privileges to the Information Systems and Assets.

Additional sanctions may apply according to the labor laws applicable at the time.

Standard Review and Update

This Standard must be maintained in accordance with the Information Security Policy.

Revision History