Asset & Service Management Policy

(Doc. No: ISMS-PL-AMP)

Copyright Notice:

The present document or drawing is property of Mysa and shall not, under any circumstances, be totally or partially, directly or indirectly, transferred, reproduced, copied, disclosed, or used, without its prior written consent, for any purpose and in any way other than that for which it is specifically furnished or outside the extent of the agreed upon right of use.

     Revision History

Contents

1.        Introduction        3

2.        Scope        3

3.        Policy Statements        3

        3.1 Authorized Use        3

        3.2 Protection of Information Assets        3

        3.3 Access Control        4

        3.4 Prohibited Activities        4

        3.5 Personal Use        4

           3.6 Data Privacy and Confidentiality        4

        3.7 Responsible Use of Resources        4

        3.8 Prohibited Activities        4

4.          Technical Controls        5

4.1    Antivirus and Anti-Malware        5

8.        Document Management        5

9.        Policy Distribution        5

1. Introduction

This policy establishes guidelines and procedures for the acceptable use of all assets, both physical and information within the organization. It aims to ensure the confidentiality, integrity, and availability of information, while also promoting responsible and ethical use of organizational resources. This policy aligns with the requirements outlined in the ISO 27001:2022 standard and applies to all employees and contractors’ users who have access to the organization's information assets.

2. Scope

This policy applies to all information assets owned, managed, or used by the organization, including but not limited to:

• Computer systems, networks, and infrastructure
• Cloud infrastructure
• Software applications and databases
• Data and information in any format (electronic or physical)
• Communication systems and devices
• Mobile devices

3. Policy Statement

• 3.1 Authorized Use

• Users shall only access and use information assets for legitimate business purposes authorized by their job responsibilities.
• Users shall comply with all applicable laws, regulations, contractual obligations, and organizational policies while using information assets.
• Users shall not engage in any activity that may compromise the security, integrity, or availability of information assets.

• 3.2 Protection of Information Assets

• Users shall take reasonable measures to protect information assets from unauthorized access, loss, theft, damage, or misuse.
• Users shall follow information security procedures, including the use of strong passwords, encryption, and physical security controls, to safeguard information assets.
• Users shall report any suspected or actual security incidents or breaches to the appropriate authorities promptly.
• Users must protect classified information in line with the relevant handling and storage guidelines.

• 3.3 Access Control

• Users shall access information assets only if they have been authorized and granted appropriate access rights.
• Users are responsible for maintaining the confidentiality and security of their login credentials and must not share their access credentials with unauthorized individuals.

• 3.4 Prohibited Activities

• Users shall not engage in activities that may disrupt or compromise the availability, integrity, or confidentiality of information assets.
• Prohibited activities include but are not limited to unauthorized access, use, or disclosure of information; attempting to bypass security controls; and engaging in malicious activities or unauthorized modification of information assets.

• 3.5 Personal Use

• Limited and reasonable personal use of information assets may be permitted, provided it does not interfere with work responsibilities, violate any laws or regulations, or compromise the organization's information security.
• Personal use must not consume excessive network bandwidth, pose a security risk, or interfere with the productivity of other users.

• 3.6 Data Privacy and Confidentiality

• Users shall respect and protect the privacy and confidentiality of sensitive and personal information in accordance with applicable privacy laws and organizational policies.
• Users shall not disclose or share confidential information without proper authorization, both within and outside the organization.
• Users shall handle personal data in compliance with applicable data protection regulations and organizational privacy policies.

• 3.7 Responsible Use of Resources

• Users shall use information assets responsibly and efficiently, avoiding excessive or unnecessary consumption of resources.
• Users shall not install unauthorized software, modify system configurations, or engage in activities that may negatively impact the performance or stability of information assets.

• 3.8 Prohibited Activities

• Users shall not engage in any activity that is illegal, unethical, or against organizational policies while using information assets.
• Prohibited activities include but are not limited to:

1. Unauthorized access or use of information assets
2. Distribution of offensive, discriminatory, or harassing content
3. Intentional introduction of malware or viruses
4. Unauthorized disclosure or alteration of information e. Use of information assets for personal gain or non-business purposes

4. Technical Controls

The IT department shall implement following technical controls and security measures to enforce and support this policy. Sophos is installed on all the laptops before handing it over to the user. Sophos helps in protecting all endpoint devices through following measures:

• 4.1 Antivirus and Anti-Malware Protection - Sophos constantly monitors the files and processes on a laptop for any signs of malicious activity, such as viruses, worms, trojans, and ransomware. Further Anti-malware - ‘Guardrail’ is also installed within AWS resources.

• 4.2 Ransomware Protection - Sophos’s CryptoGuard technology monitors for signs of ransomware activity and can stop encryption processes in their tracks, preventing data loss. 

• 4.3 Web Protection - Sophos provides protection against malicious websites that might try to download malware onto the laptop or steal sensitive information. It further helps protect users from phishing attacks by blocking emails and websites that attempt to trick users into revealing personal information, such as passwords or credit card numbers.

• 4.4 Managed Application Whitelisting: Sophos allows organizations to control which applications can run on laptops. By creating a whitelist of approved applications, Sophos prevents unauthorized or potentially harmful software from being installed or executed, reducing the risk of security breaches.

• 4.5 Peripheral Management: Sophos can control the use of external devices like USB drives, preventing unauthorized data transfer or the introduction of malware via these devices. This helps protect sensitive data and prevents data leakage.

• 4.6 Automated Incident Response: If Sophos detects a threat, it can automatically respond by isolating the infected laptop from the network, blocking malicious processes, or removing the threat entirely. This reduces the risk of the threat spreading or causing further damage.

• 4.7 Centralized Management: Sophos provides a cloud-based management platform called Sophos Central, where IT administrators can monitor and manage security policies across all laptops in the organization. This platform provides real-time insights, reporting, and remote management capabilities, making it easier to ensure consistent security across all endpoints.

• Policy Enforcement: Through Sophos Central, security policies can be enforced across all laptops, ensuring that they are consistently protected according to the organization’s security standards.
• Full Disk Encryption: Sophos offers full disk encryption to protect data stored on laptops. This means that even if a laptop is lost or stolen, the data on it cannot be accessed without proper authorization, as it is encrypted and requires a key to decrypt.

The IT department shall provide awareness training and guidance to users regarding acceptable use of information assets.

5. Compliance

• Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or termination of contracts with third-party service providers.
• Compliance with this policy shall be regularly assessed through monitoring, audits, and incident reporting.

6. Policy Review

This policy shall be reviewed at least annually or when significant changes occur within the organization's information assets or regulatory requirements, to ensure its relevance and effectiveness.

7. Policy Distribution

This policy shall be distributed to all employees, contractors, and third-party service providers who have access to the organization's information assets. It shall be readily accessible and communicated through appropriate channels.