• Post Box 779, Chorten Lam, Thimphu, Bhutan

Information Security

Bhutan Insurance Limited Information Security Policy Version 2.0

Current versionVer. 2.0
Prepared by / dateConsultant, Aug 07, 2023
Reviewed by / dateIS Officer / DPO, Aug 16, 2023
Approved by / dateISSC / & DPMC, Aug 17, 2023
Document StatusActive
Confidentiality LevelPublic

Overview

This Policy serves as the foundation for the BIL information security program and provides the authority to implement policies, practice standards, and/or procedures necessary to implement a successful information security program.

Purpose

Provide management direction and support for information security per business requirements and relevant laws and regulations.

Scope

The policy statements are written in this document apply to all BIL resources at all levels of sensitivity, including:

  1. All full-time, part-time, and temporary staff employed by, or working for or on behalf of BIL.
  2. Contractors and consultants working for or on behalf of BIL.
  3. All other individuals and groups who have been granted access to BIL systems and information.

This policy covers all information assets defined in the Risk Assessment Scope Document and will be used as a foundation for information security management.

What is Information Security? 

Information security is the practice of ensuring information is only read, heard, changed, broadcast and otherwise used by people who have the right to do so. It requires a range of skills and knowledge and increases in importance as our use of and reliance upon information grows.

All information has value. Sometimes this might be trivial but, in many cases that value is substantial. Value can be measured in different ways, depending on the nature of the information. In some cases, there may be a straightforward monetary value associated with the given information. For others, the emphasis is placed on different aspects of value. For example, the effects of unauthorized disclosure and loss of confidentiality.

The range of undesirable consequences associated with breaches of information security is long and includes:

1.           Systems being unavailable

2.           Bad publicity and embarrassment

3.           Fraud

4.           Illegal personal investigation

5.           Industrial espionage

How can information be protected?

Information security can be a daunting prospect for the average user. It is often seen as a highly technical discipline that requires expensive equipment and specialist assistance. While many situations do need this type of approach, the most sensible and effective first steps are based on common sense and sound management practice.

Assessing and understanding the risks for our organization will help to establish appropriate risk management. In turn, this should ensure appropriate incident management and recovery when security is compromised.

For organizations of higher and further education a good level of information security can be achieved through the following:

  1. A pragmatic approach to policy and standards should be adopted resulting in an information security policy, which is supported by realistic and workable processes and procedures.
  2. The rigor of security measures applicable to any information system should be proportional to the assessed risk of the confidentiality, integrity or availability of its information becoming compromised.
  3. The risk assessment process should be light touch and might categories the likelihood and consequences of any compromise of an information system’s confidentiality, integrity or availability as being high, medium or low.
  4. Policies should not just apply to centralized IT services; the graduated model developed allows appropriate measures to be defined right down to individual Systems/PCs/Peripherals.
  5. A well informed, well-trained workforce, who exercise an appropriate (but not excessive) level of vigilance, is an essential element of any security package.

Why Information Security is required?

There are several internal and external pressures facing which are driving the need for a more formal approach to information security, such as:

  1. Increased awareness of the need for proper security frameworks
  2. Increased awareness of legal compliance requirements
  3. The expansion of the role of auditors in organizational governance
  4. The need to satisfy external bodies when working with sensitive data
  5. Across the whole community organizations are facing the same issues. The solution may be different for each but there are many common elements. It was developed by taking the control guidelines contained in the ISO/IEC 27001:2013 ISMS and ISO/IEC 27701:2019 PIMS standard as a starting point from which to derive a set of policies appropriate to higher and further education

These should also be taken to be references to ISO/IEC 27001:2013 Information Security Management System and ISO/IEC 27701:2019 Privacy Information Management Systems; this is a standard code of practice which should be thought of as a comprehensive guide to good security practice.

Information Security Management Strategy

The purpose of information security is to ensure business continuity and minimize business damage by preventing and minimizing the impact of security incidents. Information security management enables information to be shared while ensuring the protection of information and assets.

The information takes many forms. It can be stored on computers, transmitted across networks, printed out or written down on paper, and spoken in conversations. From a security perspective, appropriate protection should be applied to all forms of information, including papers, databases, tapes, diskettes, conversations and any other methods used to convey knowledge and ideas. The organization’s Information Technology that it supports is important business assets. Their availability, integrity, and confidentiality are essential to maintain efficient operations, value for money, legal compliance, and a respected image.

The organization is facing increasing security threats from a wide range of sources. Systems and networks may be the target of serious threats, including computer-based fraud, espionage, vandalism and other sources of failure or disaster. New sources of damage, such as the highly publicized threats of computer viruses and computer hackers continue to emerge. Such threats to information security are expected to become more widespread, more ambitious and increasingly sophisticated. At the same time, because of the increasing dependence on IT systems and services, the organization is becoming more vulnerable to security threats. The growth of networking presents new opportunities for unauthorized access to computer systems and reduces the scope for central, specialized control of IT facilities.

The first stage in providing the organization with adequate information security is the formulation of an information security policy and procedures for its implementation and the appointment of an Information Security Officer, at BIL this responsibility is assigned to Information Security Steering Committee (ISSC) / Data Privacy Management Committee (DPMC).

Guidelines for use

Each topic is addressed with a short introduction followed by guidance on how to use and how the policy is developed. This is followed by the subsections that comprise a suggested policy statement and security procedures that should be considered when implementing the policy. The policy subsections may also contain further information relevant to developing the policy.

Enforcement & Penalties

The Information Security Policy and other related policies should be enforced by a combination of automated monitoring and network defense tools. These should be combined as necessary with direct audit and personal monitoring of systems and the use of agreed log files for reporting the outcome of routine tasks and tests. The results should be subject to scrutiny by the information security management team who should, in turn, report their findings to senior management

If an employee is aware of a potential breach of this policy, they should be encouraged to report their concerns to their manager. All such information should be treated in confidence. Any breaches of policy should be investigated, in conjunction with the Information Security Officer and Human Resource levies appropriate penalties determined according to circumstances. Depending on the severity of the breach, penalties up to and including termination may be considered appropriate.

Establish an information security policy for the organization which is appropriate and supports the purpose

Ensure that information security policy either includes security objectives or can be used to establish defined objectives and makes a commitment to comply with all relevant information security requirements

Contact Details 

For any queries, please contact the Information Security section at iso@bil.bt

Version History

Ver. No.YearParticulars of ChangesPrepared By / dateReviewed By / dateApproved By / date
1.02022Initial Information Security Policy defined. Consultant
May 23, 2022
IS Officer
May 30, 2022
ISSC
Jun 01, 2022
2.02022Information Security Policy defined.Consultant
Nov 07, 2022
IS Officer & DPO
Nov 16, 2022
ISSC & DPMC
Nov 17, 2022
2.02023Annual review conducted and Nil changes madeConsultant
Aug 07, 2023
IS Officer & DPO
Aug 16, 2023
DPMC
Aug 17, 2023
Bhutan Insurance Limited