Select Page

Information security policy

SGSI

SECURITY

Security policy

Edition 1  –  01/06/2020                                               Formato en español

OBJECT

The Information Security Policy (ISP) is the key document for Information Security Program within GT LASER. It determines on a high level the information security principles of GT LASER in support of governance objectives and enterprise values.

SCOPE

Information Technology (IT) as a cross-section-function pulls through the whole business, essential business-processes are based on it. Therefore information security policy is applicable to the whole GT LASER.

POLICY

Importance of Information Technology

GT LASER perceive the meaning of its information technology for the achievement of their strategic business-goals. GT LASER draws consequences from the dependence of the value added, and essential business-processes on IT systems with the present information security policy. Every outage and functional impairment of the IT invariably leads to the impairment of the business. As a consequence of the increasing inter-networking, the damage-potential increases infecting business partners.

Therefore it is essential that GT LASER protect itself against damages resulting from usage of IT. For this reason GT LASER classifies one of its prioritized business-goals, the goal to guarantee the security of the information-technology for all scopes.

The business-wide information security requires a coordinated security management, which takes into account all areas of IT. Information security management establishes requirements and rules for all IT areas and guarantees quality and security in all operational fields. 

 

Objectives

It is the distinct goal of GT LASER, to protect the business from damages, which can be caused by the information-technology, through the introduction of information security. It should ensure that within the enterprise, information is protected against disclosures to unauthorized users (confidentiality); improper modification (integrity) and non-access when required (availability).

Goal of the ISP is to set up a common basis for a corporate wide information security for GT LASER by giving guidance and defining appropriate rules.

 

Information security management

To reach Information security objectives, an information security management system has to be introduced. The Chief Information Security Officer (CISO) is responsible for implementation, maintenance and evolution of the information security management. He has a direct reporting line to GT LASER CEO.

The CISO has to be involved into IT projects at an early stage in order to take security- relevant aspects into account. This implies involvement starts in planning and requirement definition phase of system development life cycle.

The management supports the continuous improvement of security-levels. Employees are urged to pass on possible improvements or weaknesses of the security measures and security process to CISO or information security officers.

Based on continuing revision of the measures and their compliance, the aim to aspire security should be guaranteed. Deviations are analyzed with the goal to improve IT security levels and to keep up-to-date with current information security technology. The results are reported to management regularly. 

 

Owners and Custodians of IT Assets

Each IT asset of GT LASER must be assigned to an owner. An owner should be a concrete employee (best case) or if not feasible a department.

Owner’s responsibility is:

  • Assessment of the commercial relevancy of the IT asset,
  • Classification of IT asset in terms of confidentiality, integrity, and availability (CIA)
  • Ensuring effectiveness of security-measures, which serve as a protection of the asset.

The information security management has to support owners in the fulfilment of their responsibilities.

The owner in co-operation with information security management has to assess, the commercial relevance of the IT asset, and to define and introduce appropriate security measures.

The information security management has to take care that security measures are defined and introduced for each IT asset.

The owner in co-operation with information security management has to control the implementation and effectiveness of the relevant security measures.. 

Information Security Principles 

Information security principals communicate the rules of GT LASER in support of the governance objectives and GT LASER values. 

 

Support the business

1 Focus on the business 

Objective: To ensure that information security is integrated into essential business activities.

Description: Individuals within the GT LASER information security community should forge relationships with business leaders and show how information security can complement key business and risk management processes. They should adopt an advisory approach to information security by supporting business objectives through resource allocation, programmes and projects. High-level enterprise-focused advice should be provided to protect information and help manage information risk both now and in the future. 

2 Deliver quality and value to stakeholders 

Objective: To ensure that information security delivers value and meets business requirements.

Description: Internal and external stakeholders should be engaged through regular communication so that their changing requirements for information security can continue to be met. Promoting the value of information security (both financial and non-financial) helps to gain support for decision making, which can in turn help the success of the vision for information security.

3 Comply with relevant legal and regulatory requirements 

Objective: To ensure that statutory obligations are met, stakeholder expectations are managed and civil or criminal penalties are avoided.

Description: Compliance obligations should be identified, translated into requirements specific to information security and communicated to all relevant individuals. The penalties associated with noncompliance should be clearly understood. Controls should be monitored, analysed and brought up-to-date to meet new or updated legal or regulatory requirements. 

4 Provide timely and accurate information on information security performance 

Objective: To support business requirements and manage information risks.

Description: Requirements for providing information on security performance should be clearly defined, supported by the most relevant and accurate security metrics (such as compliance, incidents, control status and costs) and aligned to business objectives. Information should be captured in a periodic, consistent and rigorous manner so that information remains accurate and results can be presented to meet the objectives of relevant stakeholders. 

5 Evaluate current and future information threats 

Objective: To analyse and assess emerging information security threats so that informed, timely action to mitigate risks can be taken.

Description: Major trends and specific information security threats should be categorised in a comprehensive, standard framework covering a wide range of topics such as political, legal, economic, socio cultural as well as technical issues. Individuals should share and build on their knowledge of upcoming threats to proactively address their causes, rather than just the symptoms. 

6 Promote continuous improvement in information security 

Objective: To reduce costs, improve efficiency and effectiveness and promote a culture of continuous improvement in information security.

Description: Constantly changing organisational business models – coupled with evolving threats – require information security techniques to be adapted and their level of effectiveness improved on an ongoing basis. Knowledge of the latest information security techniques should be maintained by learning from incidents and liaising with independent research organisations. 

7.2 Defend business 

1 Adopt a risk-based approach 

Objective: To ensure that risks are treated in a consistent and effective manner.

Description: Options for addressing information risk should be reviewed so that informed, documented decisions are made about the treatment of risk. Risk treatment typically involves choosing one or more options, which typically include: accepting risks (ie by a member of management ‘signing-off’ that they have accepted the risks and that no further action is required); avoiding risks (eg by deciding not to pursue a particular initiative); transferring risks (eg by outsourcing or taking out insurance); and mitigating risk, typically by applying appropriate security measures (eg access controls, network monitoring and incident management). 

2 Protect classified information

Objective: Preventing classified information (e.g. confidential or sensitive) being disclosed to unauthorized individuals.

Description: Information should be identified and then classified according to its level of confidentiality (eg secret, restricted, internal and public). Classified information should be protected accordingly throughout all stages of the information lifecycle – from creation to destruction – using appropriate controls, such as encryption and access restrictions. 

3 Concentrate on critical business applications 

Objective: Prioritizing scarce information security resources by protecting the business applications where a security incident would have the greatest business impact.

Description: Understanding the business impact of a loss of integrity (e.g. completeness, accuracy and timeliness of information) or availability of important information handled by business applications (i.e. processed, stored or transmitted) will help to establish their level of criticality. Security resource requirements can then be determined and priority placed on protecting the applications that are most critical to the success of the organisation. 

4 Develop systems securely 

Objective: To build quality, cost-effective systems upon which business people can rely (eg that are consistently robust, accurate and reliable).

Description: Information security should be integral to the scope, design, build and testing phases of the System Development Life Cycle (SDLC). Good security practices (e.g. rigorous testing for security weaknesses, peer review and ability to cope with error, exception and emergency conditions) should play a key role at all stages of the development process.

7.3 Promote responsable information security behaviour 

1 Act in a professional and ethical manner 

Objective: To ensure that information security-related activities are performed in a reliable, responsible and effective manner.

Description:Information security relies heavily on the ability of professionals within the industry to perform their roles responsibly and with a clear understanding of how their integrity has a direct impact on the information they are charged with protecting. Information security professionals need to be committed to a high standard of quality in their work while demonstrating consistent and ethical behaviour and respect for business needs, other individuals and confidential (often personal) information. 

2 Foster an information security-positive culture 

Objective: To ensure that information security-related activities are performed in a reliable, responsible and effective manner.

Description: Emphasis should be placed on making information security a key part of ‘business as usual’, raising security awareness amongst users and ensuring they have the skills required to protect critical or classified information and systems. Individuals should be made aware of the risks to information in their care and empowered to take the necessary steps to protect it. 

 

Commitment to Information Security Policy 

The CEO of GT LASER takes into account the necessity of a corporate wide information security. Therefore, the management commits itself to define the information security process, to initiate and to uphold it. GT LASER will take all economically meaningful steps in order to reach the objective described in this document.

The responsibility for the information security of the business is allocated with the CEO. CEO  delegates to the  CIO the realization of the IT security. The contents of this ISP are supported in full and whole by the CEO.

The CEO transfers the responsibility for the information security to each employee. Each employee and the management are conscious of their responsibility for information security, and support information security strategy with utmost efforts. 

 

Consequences in case of non-conformance 

The mains Consequences of non-conformance with this policy are: 

  • Managing information in an unsecured way, which affects the company
  • That individual behaviors that have not been adequate can be sanctioned according to current legislation