policy for information security

Document creation history Name Information security policy Number of the document IS-PL/01-18 Version 2. 0 Authorized Anzor Mekhrishvili Approved A person with the highest executive authority Date of approval 29. 03. 2018 Date of activation 02. 04. 2018 Date of update 26. 02. 2018 1. Purpose and goal of the document Information Security Policy (referenced as the “Policy”) is a pre-eminent document that governs various information security policies and procedures and reflects the attitude of the BDO Group (referenced as the “company”) towards information security topics. This policy further defines key information security requirements, with high responsibilities to customers, partners, and regulators to support sustainable business growth. The primary objectives of the information security policy are:  Defining responsibilities and authorities towards information security matters.  Defining communication rules for the use of information technologies and information systems for BDO Group employees and other users.  Developing information security control mechanisms in the company, to ensure confidentiality, integrity, and availability.  Intensive assessment, management, and monitoring of risks arising from internal and external threats, and the introduction and development of appropriate information security mechanisms, to avoid or minimize the expected harm.  Defining and implementing basic rules of conduct against incidents, crises, and intentional or negligent harm. Information security policy is based on widely-accepted international standards and general practices in Information Security. The policy envisages and complies with the legislation of Georgia. 2. Definition of terms BDO Group - ბიდიო ჯგუფის წევრად მიიჩნევა საქართველოში რეგისტრირებული ყველა იურიდიული პირი, რომელიც წარმოადგენს გაერთიანებულ სამეფოში რეგისტრირებული ფირმის -“ბიდიო ინტერნეშენალ ლიმიტედის” წევრს ხმის უფლებით ან მის გარეშე. ბიდიო ჯგუფის ყველა წევრი ფირმა შედის ბიდიოს დამოუკიდებელი ფირმების საერთაშოისო ქსელის შემადგენლობაში. ბიდიო არის საერთო სასაქონლო ნიშანი ბიდიოს ქსელისა და მისი თითოეული წევრი ფირმისთვის. Company- Ltd BDO Georgia, Ltd BDO Audit, Ltd BDO Consulting, Ltd BDO legal, Ltd BDO HR and Payroll, Ltd Startup Fund, individually. Information Asset – All types of information, information storage, processing, transmission technology, employees, and their knowledge of information processing. Information Security – Protection of confidentiality, integrity, and availability of information. Information Security Incident – Actual or potential breach of information security policy resulting in unauthorized access, disclosure, damage or interruption of information or access to information resources. Confidentiality- Access to information only for persons entitled to access it. Integrity – Knowledge that ensures that information is correct, not intentionally or negligently altered, and reflects accurate facts. Availability- Knowledge that ensures that information/system will be available to authorized users at the required time. 3. Scope of the document Areas of Information security policy regulation include all business units within the BDO Group. Owned by BDO Group:  Information from an employee, client, or other third parties  All information resources Owned by BDO Group:  All information systems  All information technologies and IT infrastructure  Any other technical means by which information is collected, stored, protected, authorized, transmitted, received, copied, transferred, processed, or destroyed. BDO Group employees and third parties:  Who manages the information owned or is under the regulation of the company  Who uses or administers the company’s information systems and IT infrastructure. All procedures and other documents of BDO Group:  Which regulates the way of working with information, information or computing systems, IT infrastructure, documents, and any information carriers.  Which regulates information security cases between the company and its customers. 4. Responsibilities Implementation of a successful and effective information security system requires management and further development with coordinated and purposeful work of all BDO Group employees and partners. 4. 1 Responsibilities of all employees of BDO Group Responsibility of all BDO Group employees:  Understand and follow information security policies and company information security rules.  Follow the company information confidentiality rules.  Ensure the safety of the information systems and means of communications used.  Immediately notify the Information Security Department of any violations of information security rules or suspicious events. 4. 2 Responsibility of the person with highest executive authority of the BDO Group The responsibility of the person with the highest executive authority of the BDO Group is:  Review and approve the company’s information security policy  Provide oversight at the strategic level of formation, management, and ongoing development of company unified information security environment.  Allocate and monitor appropriate organizational, human, material, and monetary resources in line with business objectives to achieve information security objectives.  Review information security reports and incidents. 4. 3 Responsibilities of heads for the service department and directions Responsibilities of heads for the service department and directions are:  Organize and control compliance with information security requirements in its subordinate area  Organize and control the awareness of its subordinates in the field of information security  Organize and control third-party information security awareness related to its business process  Information security requirements consideration when developing department internal standards and procedures  Proper distribution of responsibilities and access to information in the subordinate area.  Classification of confidential information and monitoring compliance with relevant rules. 4. 4 Responsibility of Information Security Officer Responsibility of Information Security Officer is:  Monitoring and management of information security.  Analysis of information security requirements made by BDO Group management, partners, and business units.  Responding to information security incidents, management, and analyzing relevant trends.  Development of information security policies, procedures, and guidelines.  Evaluating BDO Group processes and monitoring their compliance with information security principles  Checking the level of current information risks, developing recommendations, plans, and measures to minimize them, and monitoring their implementation, which helps to increase the level of security of the company’s information systems.  Review, verify and monitor information security requirements.  Participation in the training of company employees on issues related to information security  Participation in implementing BDO Groups business continuity plan  Participation in organizing crisis response and management  Participation in information security risk analysis for new projects and change management  Reporting on information security issues with a person with the highest executive authority of BDO Group 4. 5 Responsibilities of the IT Department of the BDO Group BDO Group IT Department responsibilities are:  Organizing, managing, and developing information systems and information technologies according to information security requirements  Providing technical security architecture for company systems (which takes into account information security requirements in IT architecture and infrastructure)  Developing standards and procedures for the management, development, and modification of information systems and information technologies to ensure compliance with BDO Group information security requirements  Purchasing, development, implementation, operation, modernization, and decommissioning of information systems, software, and information technologies under the company’s information security requirements  Managing the company’s information assets and access control, responding promptly and effectively to any prohibited or dangerous actions or cases in relation to controlled systems.  Managing and proper usage of media carriers in the company’s IT infrastructure  Managing and proper usage of BDO Group communication tools  Management of BDO Group IT business continuity  Providing backups due to business continuity plan  Continuous monitoring of the state of information systems and IT infrastructure  Intensive review of information security vulnerabilities and appropriate response  Analysis of cases in information systems and IT infrastructure, investigation of suspicious cases, timely detection, and escalation of security incidents. 4. 6 Responsibilities of the Human Resources Management Division of BDO Group The responsibility of BDO Group’s Human Resources Division:  Ensure proper selection and background checking of BDO Group employees  Organizing the training of employees in the field of information security 4. 7 Responsibilities of the owners of BDO Group information assets Responsibilities for the owners of BDO Group information assets are:  Knowledge of what information assets they are responsible for  Classification of assets according to the rules defined by the company and accordingly determine their authorization  Ensuring the existence of information security controls over the information asset under their responsibility 4. 8 Responsibilities of the BDO Group Lawyer: Responsibilities of the BDO Group Lawyer include:  Checking compliance of the policy with the legislation  Providing the relevant normative acts to the information security officer  Providing legal advice in investigating information security incidents or other conflict situations. 5. Principles of Information Security BDO Group’s information security policy and other related documents are based on the ISO 27000 standard series. The company must constantly protect confidentiality, integrity, and availability of information: Confidentiality – Access to information is allowed only to authorized personnel who need such access to perform the assigned functions Integrity – Information must be complete, accurate, and timely to ensure the proper functioning of the business Availability – Information should be available and usable at any time needed.  All information assets should be classified according to their level of confidentiality, integrity, and availability  All employees should treat the information assets of the company according to the level of its classification  The information asset must be protected from unauthorized access according to its classification level. 6. Approval of the document The policy is approved by a person with the highest executive authority. Any deviation from the policy should be considered as an exception and approved by a person with the highest executive authority. The information security officer is required to update the policy every 2 years. The person with the highest executive authority may at any time amend the policy on the recommendation of an information security officer or any member of the executive branch.