The purpose of this policy is to define information security requirements for information assets (physical, logical or intangible). This policy acts as a compass to provide direction to protect information assets from both internal and external threats that compromise confidentiality, integrity or availability
The scope of this policy applies to people, process, and technology systems that interact with information and information assets
Information Security activities shall be focused and overall driven by this information security policy:
- Management of GZ Systems shall demonstrate the due commitment to enable required resources for establishing information security objectives in line with policy.
- Management of GZ Systems shall ensure that adequate resources are provided, roles and responsibilities are clearly defined and documented, training and awareness program is established.
- All internal staff, outsourced staff, suppliers and third-party service providers share the commitment to the provision of appropriate levels of security across all functions that hold GZ Systems and its customer information.
- All internal staff, outsourced staff, suppliers and third-party service providers share the obligation to protect information, assure customer privacy, and remain vigilant in preventing unauthorized or fraudulent activity.
- Precautions and measures shall be taken at all the times, to ensure Confidentiality, Integrity and Availability of all information systems as per the importance (value) for business activities.
- Information Security objectives shall be established based on organizational information security requirements, best practices and ISO 27001.
- Information Assets shall be identified & their associated risks assessed, evaluated and appropriate measures shall be implemented in risk treatment planning.
- Access to Information assets shall be controlled and access rights shall be reviewed on regular basis to align with changing business needs.
- Backup shall be maintained for critical data as per classification to allow continuity of business without disruption.
- Mechanism for reporting information security incidents shall be established for timely resolution of information security incidents.
- Internal audits shall be conducted for establishing the effectiveness of the implemented ISMS.
- Management of GZ Systems shall ensure continual improvement through the periodic external assessments, established process of internal audit and risk management.
- Management of GZ Systems shall ensure compliance with all applicable legislative and regulatory requirements.
- Appropriate disciplinary actions shall be taken in case of any information security breach.