INFORMATION SECURITY POLICY
Introduction
The information managed by INCM, its support processes, systems, applications, and networks are valuable assets to the organization and, in this context, information security must be a priority in order to ensure the continuity of the organization’s activity, minimizing risks and maximizing performance and service delivery.
Information security should be applied in all phases of the information life cycle, ensuring that a high level of quality and security is maintained in a permanent and balanced way, preventing the materialization of inherent risks, to mitigate the potential damage caused by the exploitation of vulnerabilities and security incidents, and ensuring that the business operates as expected over time.
It is INCM understanding that information security is a fundamental assumption for the success of its services, being the responsibility of all, employees, suppliers, or other entities that have access to the information at each moment to act according to the rules defined and imposed by the policy.
Information Security is supported by a management system, known as the Information Security Management System (ISMS), consisting of a set of policies and procedures that ensure the essential principles of information, availability, integrity, and confidentiality, in accordance with business requirements, relevant laws, and regulations.
Goal
This policy aims to define the purpose, direction, principles, and fundamental rules of information security management, according to the characteristics and needs of the business of Imprensa Nacional – Casa da Moeda (INCM) and its stakeholders.
Scope/Target Public
Applicable to the whole organization including all stakeholders, and entities that maintain any kind of commercial/contractual relationship with INCM (employees, customers, suppliers, service providers) that have access, usage right, or control over the information assets held by INCM and/or the resources associated to them.
All stakeholders must know and act in accordance with this Policy and the other Information Security related documents, as applicable and appropriate.
Failure to Comply
All covered stakeholders who deliberately violate this policy will be subject to sanctions and other actions, up to and including termination of the contract and/or reporting to the police or judicial authorities situations that suggest the commission of a crime.
Information Security Policy
The Information Security Policy expresses the considerations of INCM regarding information security on the following aspects:
A. Elementary aspects of Information Security:
The management of information security and the systems that support it is carried out ensuring, through an approach based on risk management and continuous improvement, the confidentiality, integrity, and availability of information. In this sense, INCM commits itself to:
- To ensure the security of the information it holds title to, as well as all resources associated with it, whether procedural, technological, or human.
- Ensure the establishment and pursuit of the principles described in this policy, as well as its approval, publication, and communication to all relevant collaborators and external entities;
- Ensure the necessary resources for the operationalization of information security management processes and activities;
- Ensure the definition, implementation, and revision of the information security management strategy and ensure the correct alignment with the policies and strategic business objectives of INCM;
- Ensure that the ISMS achieves its intended results;
- Promote, in a structured and systematic way, continuous improvement.
B. Information Classification and Handling:
Defining an information security asset is any resource of value to the organization, these are classified according to their sensitivity to its attributes, namely confidentiality, integrity, and availability, in order to apply the appropriate controls to safeguard them.
C. Use of mobile devices and remote access:
Security measures are applied to the use of mobile devices to ensure the confidentiality, integrity, and availability of business information so that it can be accessed (locally or remotely) and/or processed by these devices.
D. Acceptable use of assets:
The information assets owned by INCM are used in a way to guarantee its protection, avoiding exposure to Information Security risks with the potential impact to compromise the business continuity of INCM.
The INCM grants its employees and visitors the right to use their own equipment, as long as the internal guidelines are followed.
E. Relationship with suppliers
Suppliers are evaluated in order to guarantee contractual relationships with entities that contribute to obtaining access to materials and services that are suitable for INCM‘s business.
The specifications drawn up by INCM for awarding contracts for the supply of goods or services include aspects that guarantee Information Security, stipulating the supplier’s responsibilities and duties.
F. Physical and logical access controls
Physical and logical access controls are in place that allows the management of identities through user identification and authentication processes and, in turn, allow the implementation of restriction rules based on security criteria.
The different profiles, privileges, and levels of physical and logical access are defined following the Principle of Least Privilege, that is, by assigning the level of access strictly necessary for the user to perform the assigned functions and no more.
G. Encryption
INCM implements cryptographic mechanisms to protect logical information from non-authorized accesses.
H. Clean table and screen
Information considered sensitive, in physical or digital format, is duly protected whenever it is not in use.
I. Backups
Backup copies are made with a defined periodicity in order to safeguard the information.
Employees and visitors are responsible for backing up the information contained on the equipment under their charge.
J. Information Transfer
Information is exchanged over approved communication channels following the security requirements defined according to your security classification.
K. Engineering principles and policy for developing secure information systems:
Principles of secure information system development are applied at all levels of the system architecture (business, data, applications, and technology) balancing the need for security with the need for accessibility/functional efficiency.
The principles are considered throughout the life cycle of information systems from an evolutionary perspective.
L. Information Security in Project Management
Information security is addressed in project management by identifying possible information security risks associated with the project to be implemented.
M. Risk Management and Incident Management and Business Continuity
Risks arising from various sources of risk to your information assets are identified, analyzed, quantified/qualified.
Events that call into question or have the potential to call into question Information Security commitments are treated as possible security incidents and are handled according to the internal Incident Management process.
Continuity of Information Security is contemplated in business continuity, in such a way that it contemplates the loss of information resources by implementing preventive and recovery controls.
N. ISMS Profiles, Responsibilities and Authorities
The roles, responsibilities, and authorities to enforce INCM’s commitments are defined by INCM to Information Security.
Information Security Responsibilities
The Information Security Policy is the responsibility of the CISO – Chief Information Security Officer, who is in charge of monitoring and evaluating the ISMS implementation, reporting to top management on its performance, and ensuring the system’s compliance with the Standard requirements.
Maintenance and communication of Information Security Policies
The Information Security Policy must be periodically reviewed in order to ensure that it continues to be adequate to INCM and must be communicated to all stakeholders within the scope of their relationship with INCM.
Change Control
REVISION NO. |
DATE |
MOTIVE |
---|---|---|
0 |
12/11/2020 | Creation of the External Information Security Policy |
1 |
17/05/2021 | Change Control Introduction |
Talk to us
You may contact INCM for all matters related to this policy through the following email address: ciso@incm.pt or send your request by letter to the address Avenida de António José de Almeida, Edifício Casa da Moeda, 1000-042 Lisboa.