-
Post Box 779, Chorten Lam, Thimphu, Bhutan
Bhutan Insurance Limited Information Security Policy Version 2.0
Current version | Ver. 2.0 |
Prepared by / date | Consultant, Aug 07, 2023 |
Reviewed by / date | IS Officer / DPO, Aug 16, 2023 |
Approved by / date | ISSC / & DPMC, Aug 17, 2023 |
Document Status | Active |
Confidentiality Level | Public |
Overview
This Policy serves as the foundation for the BIL information security program and provides the authority to implement policies, practice standards, and/or procedures necessary to implement a successful information security program.
Purpose
Provide management direction and support for information security per business requirements and relevant laws and regulations.
Scope
The policy statements are written in this document apply to all BIL resources at all levels of sensitivity, including:
This policy covers all information assets defined in the Risk Assessment Scope Document and will be used as a foundation for information security management.
What is Information Security?
Information security is the practice of ensuring information is only read, heard, changed, broadcast and otherwise used by people who have the right to do so. It requires a range of skills and knowledge and increases in importance as our use of and reliance upon information grows.
All information has value. Sometimes this might be trivial but, in many cases that value is substantial. Value can be measured in different ways, depending on the nature of the information. In some cases, there may be a straightforward monetary value associated with the given information. For others, the emphasis is placed on different aspects of value. For example, the effects of unauthorized disclosure and loss of confidentiality.
The range of undesirable consequences associated with breaches of information security is long and includes:
1. Systems being unavailable
2. Bad publicity and embarrassment
3. Fraud
4. Illegal personal investigation
5. Industrial espionage
How can information be protected?
Information security can be a daunting prospect for the average user. It is often seen as a highly technical discipline that requires expensive equipment and specialist assistance. While many situations do need this type of approach, the most sensible and effective first steps are based on common sense and sound management practice.
Assessing and understanding the risks for our organization will help to establish appropriate risk management. In turn, this should ensure appropriate incident management and recovery when security is compromised.
For organizations of higher and further education a good level of information security can be achieved through the following:
Why Information Security is required?
There are several internal and external pressures facing which are driving the need for a more formal approach to information security, such as:
These should also be taken to be references to ISO/IEC 27001:2013 Information Security Management System and ISO/IEC 27701:2019 Privacy Information Management Systems; this is a standard code of practice which should be thought of as a comprehensive guide to good security practice.
Information Security Management Strategy
The purpose of information security is to ensure business continuity and minimize business damage by preventing and minimizing the impact of security incidents. Information security management enables information to be shared while ensuring the protection of information and assets.
The information takes many forms. It can be stored on computers, transmitted across networks, printed out or written down on paper, and spoken in conversations. From a security perspective, appropriate protection should be applied to all forms of information, including papers, databases, tapes, diskettes, conversations and any other methods used to convey knowledge and ideas. The organization’s Information Technology that it supports is important business assets. Their availability, integrity, and confidentiality are essential to maintain efficient operations, value for money, legal compliance, and a respected image.
The organization is facing increasing security threats from a wide range of sources. Systems and networks may be the target of serious threats, including computer-based fraud, espionage, vandalism and other sources of failure or disaster. New sources of damage, such as the highly publicized threats of computer viruses and computer hackers continue to emerge. Such threats to information security are expected to become more widespread, more ambitious and increasingly sophisticated. At the same time, because of the increasing dependence on IT systems and services, the organization is becoming more vulnerable to security threats. The growth of networking presents new opportunities for unauthorized access to computer systems and reduces the scope for central, specialized control of IT facilities.
The first stage in providing the organization with adequate information security is the formulation of an information security policy and procedures for its implementation and the appointment of an Information Security Officer, at BIL this responsibility is assigned to Information Security Steering Committee (ISSC) / Data Privacy Management Committee (DPMC).
Guidelines for use
Each topic is addressed with a short introduction followed by guidance on how to use and how the policy is developed. This is followed by the subsections that comprise a suggested policy statement and security procedures that should be considered when implementing the policy. The policy subsections may also contain further information relevant to developing the policy.
Enforcement & Penalties
The Information Security Policy and other related policies should be enforced by a combination of automated monitoring and network defense tools. These should be combined as necessary with direct audit and personal monitoring of systems and the use of agreed log files for reporting the outcome of routine tasks and tests. The results should be subject to scrutiny by the information security management team who should, in turn, report their findings to senior management
If an employee is aware of a potential breach of this policy, they should be encouraged to report their concerns to their manager. All such information should be treated in confidence. Any breaches of policy should be investigated, in conjunction with the Information Security Officer and Human Resource levies appropriate penalties determined according to circumstances. Depending on the severity of the breach, penalties up to and including termination may be considered appropriate.
Establish an information security policy for the organization which is appropriate and supports the purpose
Ensure that information security policy either includes security objectives or can be used to establish defined objectives and makes a commitment to comply with all relevant information security requirements
Contact Details
For any queries, please contact the Information Security section at iso@bil.bt
Version History
Ver. No. | Year | Particulars of Changes | Prepared By / date | Reviewed By / date | Approved By / date |
---|---|---|---|---|---|
1.0 | 2022 | Initial Information Security Policy defined. | Consultant May 23, 2022 | IS Officer May 30, 2022 | ISSC Jun 01, 2022 |
2.0 | 2022 | Information Security Policy defined. | Consultant Nov 07, 2022 | IS Officer & DPO Nov 16, 2022 | ISSC & DPMC Nov 17, 2022 |
2.0 | 2023 | Annual review conducted and Nil changes made | Consultant Aug 07, 2023 | IS Officer & DPO Aug 16, 2023 | DPMC Aug 17, 2023 |