Information Security Policy
ISO 27001 Information Security Management System
Purpose and Scope
TIMWETECH has adopted ISO 27001 Information Security Management System as a tool for protecting the confidentiality, integrity and availability of information.
TIMWETECH is committed, in accordance with its mission and values, to maintain and improve information security and business continuity and minimizing exposure to risk within the company, while designing and implementing impactful mobile marketing, mobile entertainment and mobile money solutions and maximize value creation for mobile carriers, media groups, Governments/NGOs, brands and end consumers.
The current policy aims to protect the information and respective systems from all identified threats, internal or external, deliberate or accidental.
The security policy applies to all users with access to TIMWETECH information, employees or not. Any user with access to technology resources and / or TIMWETECH information must meet all the applicable rules to its usage, under the terms and conditions stipulated in this and other policies, as well as in any other that may be recorded in additions and / or amendments whatsoever.
Internal Document Name |
version |
classification |
PL02_MS_V2.0_INFORMATION SECURITY POLICY | 2.0 | PUBLIC |
It is therefore TIMWETECH’s policy to ensure that:
- TIMWETECH shall control or restrict access so that only authorized individuals and partners can view sensitive information.
- Information will not be made available to outside parties without the written consent of the TIMWETECH administration.
- TIMWETECH commits to continually improve its ISMS, to comply with applicable legal and other obligations to which it subscribes and satisfy applicable expectations from interested parties.
Information Security training will be made available to all employees and suppliers where appropriate. - The protection of information will be considered, when business continuity plans for mission critical activities are produced, maintained, tested or invoked.
The objectives of TIMWETECH ISMS were defined by top management and are registry on ISMS Objectives Policy.
Risks & Implications
Any personal computer, workstation or other device that is connected to TIMWETECH infrastructure is a threat for the infrastructure itself.
Improper use may jeopardize the confidentiality, integrity or availability of information and technological TIMWETECH infrastructure.
The resolution of security issues increases the operating costs of the technological infrastructure and can cause considerable impacts to TIMWETECH business operation.
The commitment of each user in following TIMWETECH Information Security policy can minimize costs and the impacts listed above.
Responsabilities
The CSO is responsible for the supervision of ISMS implementation and its policies. All employees or external entities are responsible for complying with policies that are part of TIMWETECH’s ISMS.
Documentation Review
The current policy or any related standards and controls, is subject to a review process and continuous improvement to ensure its continuing suitability and effectively mitigate the risks related with IS and, consequently the business, in compliance with the applicable rules and regulations.
The review of all policies and procedures should be performed at most with 1-year difference or as soon as major changes justify it. The above statement applies for all policies and processes within ISMS.
Standards
Confidentiality and Proprietary Information
All information produced, processed, transmitted and stored within the scope of TIMWETECH’s business is TIMWETECH exclusive property and may only be copied, reproduced, used, removed or accessed by persons outside the organization, in accordance with the TIMWETECH Information Classification Procedure.
Licensing and Software Installation
All software must be licensed under the name of TIMWETECH.
In addition to the software installed by default for all users, a list of additional software is installed in each computer according the user’s working area. The software list is described in the User Equipment Management document.
The software licensed under the name of TIMWETECH must be installed on equipment used on professional scope only.
Some licenses may be granted for private use, if it’s not for business activity or it is outside the corporate context. Top Management must always grant permission for these particular cases.
Any copy of the Licensed Software can only be made under a Contingency and Recovery plan.
The IS Steering Committee is responsible for the decision of add, change, upgrade or remove any licensed software in the User Equipment Management Technical Document.
Specialized Software
Any employee who requires specialized software should always consult the CSO previously about its usage, and the same must be installed under CTO approval. This policy will ensure software compatibility within operation.
Prohibited Software
Software that is not necessary for TIMWETECH business, such as software that may jeopardize the confidentiality, integrity and availability of information and/ or technological systems within TIMWETECH, should not be installed or executed.
Data Storage
All information (both business and technical) must be stored on TIMWETECH systems (OneDrive, Intranet, Databases) so that it can benefit from security mechanisms that minimize the risk of downtime, and maximize the confidentiality and integrity of information, such as backups and access control.
Information outside the professional sphere should not be stored on TIMWETECH systems and may be deleted without notice.
It is allowed to use mobile storage devices (e.g. pen drives, memory cards) following the rules defined in the Information Classification Procedure.
Usage rights
The entire TIMWETECH technological infrastructure composed by networks, software, information and equipment, is owned by TIMWETECH. Reserves the TIMWETECH, if it is deemed appropriate, the right to:
- Block and analyse any file or set of unstructured data, stored, processed or in transit, that threats the integrity, confidentiality or availability of TIMWETECH infrastructure or information;
- Block full or partial access to services (software and/or information), such as E-mail or Internet access, without warning or user’s consent, when such usage threats the integrity, confidentiality or availability of TIMWETECH infrastructure or information;
- Turn off or deactivate any service at any time.
Passwords
A password allows a system to authenticate a user and assign the necessary permissions for its role.
The Password Policy establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.
E-mail Usage
The usage of Electronic Mail (email) system should be restricted to professional usage within the scope of TIMWETECH activities.
Its occasional use for private purposes is not prohibited however, yet to be ruled by common sense and moderation, considering abusive, for example, sending mass e-mails, attachments with oversized or inappropriate content.
Suspicious emails, including unsolicited or out of context, should not be opened.
The Acceptable Use Policy specify the particular set of controls associated with the “acceptable use” of IT and other equipment and facilities used, including e-mail usage, and thereby to protect TIMWETECH from the associated Information, Cyber, Technology and Reputation Risks.
Internet Usage
The Internet is an essential tool for TIMWETECH operation. Internet must be used only for consultation, receipt or publication of information. It should be used sparingly and within the business needs.
The publication of TIMWETECH information in social networks, blogs, wikis, discussion forums or other types of sites is expressly prohibited, except duly approved by Top Management. The Acceptable Use Policy details the appropriate measures that must be taken to minimize vulnerabilities in internet usage.
Communication Equipment
It can only be linked to TIMWETECH infrastructure modems, switches, routers, mobile broadband devices, Wi-Fi cards, Wi-Fi devices, or other communication equipment, with the previous CTO approval.
Antivirus and Security updates
The antivirus installation, configuration, operation, or security updates may only be performed by IT ServiceDesk team, according the Security Operations Procedure
Workstation locking (PC’s and mobile phones)
Whenever the employee leaves the workstation it must end the session or block access to the workstation unless it has negative impact on business.
Employees must carry with them service mobile phones all the time and have them protected with PIN code or biometric authentication.
Audits
TIMWETECH will audit and test the equipment on a periodical basis to analyse compliance with security policies and, if needed, implement corrective measures whenever it’s necessary.
Technical Compliance Reviews
TIMWETECH will perform technical compliance reviews on an annual basis and its scope should be defined
within the ISO27001:2013 Management Review Meeting.
Approval Method Using Email
Exchange Online deployment in TIMWETECH has the Intra-Org Encryption active, ensuring that mail exchanged between TIMWETECH e-mails are encrypted. With this level of encryption TIMWETECH will continue to use the approval method – signing its documents but acknowledging the email approval as an alternative approved method.
Management Commitment
TIMWETECH Top Management, subscribing the principles recommended in ISO 27001:2013 standards, is committed to:
- Assure and implement the principles outlined in this Policy and its approval, publication and communication to all employees and relevant external parties;
- Assure a strategy to be applied on IS management, aligned TIMWETECH strategic;
- Secure the creation of an organizational infrastructure and support, ensuring sustainability and the necessary evidences, according with the IS Risk Management;
- Secure the resources for the operation and management of IS processes and activities;
- Promote awareness of employees and external parties about the IS policy, and their share of responsibility on the process;
- Provide regular and transparent performance reporting about IS within TIMWETECH.
Security Incident Reporting
All breaches of information security, actual or suspected, must be reported to security@timwetech.com and will be investigated by Security Team.