Information Security Management System General Policy
1. SCOPE
The purpose of this document is to describe the general principles of information security defined by the TRE Altamira remote sensing to develop an efficient and secure Information Security Management System (ISMS).
2. INFORMATION SECURITY POLICY
The Chief Executive Officers (CEO) and the top management of TRE Altamira, located in Italy (Milan), Spain (Barcelona) and Canada (Vancouver), which operates in displacement monitoring services using satellite radar data, are committed to preserving the confidentiality, integrity, and availability of all the physical and electronic information assets throughout their organisation to preserve high availability, regulatory and contractual compliance and commercial image.
Information and information security requirements will continue to be aligned with TRE Altamira goals and the ISMS is intended to be an enabling mechanism for information sharing, for electronic operations, for data management and for reducing information-related risks to acceptable levels.
TRE Altamira current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating, and controlling information-related risks through the establishment and maintenance of an ISMS.
The Risk Assessment, Statement of Applicability and Risk Treatment Plan identify how information-related risks are controlled. Head of Risk is responsible for the management and maintenance of the risk treatment plan. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.
In particular, business continuity and contingency plans, data backup procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy. Control objectives for each of these areas are contained in this document and are supported by specific documented policies and procedures.
All Employees/Staff of TRE Altamira and certain external parties identified in the ISMS are expected to comply with this policy and with the ISMS that implements this policy. All Employees/Staff, and certain external parties, will receive the requirements and will be required to undergo the appropriate training. The consequences of breaching the information security policy are set out in the Organization’s disciplinary policy and in contracts and agreements with third parties.
The ISMS is subject to continuous, systematic review and improvement.
TRE Altamira has established a top-level management steering group/Information Security Committee, chaired by Chief Executive Officers (CEO), Head of IT (CIO), local IT of the three offices and other executives/specialists/risk specialists to support the ISMS framework and to periodically review the security policy.
TRE Altamira achieved the certification of its ISMS on the International Standard
ISO 27001:2013.
This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and at least annually.
In this policy, ‘information security’ is defined as:
Preserving
This means that management, all full time or part time Employees/Staff, sub-contractors, project consultants and any external parties have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches (in line with the policy and procedures) and to act in accordance with the requirements of the ISMS. All Employees/Staff will receive information security awareness training and more specialised Employees/Staff will receive appropriately specialised information security training.
the availability,
This means that information and associated assets should be accessible to authorised users when required and therefore physically secure. The computer network must be resilient, and TRE Altamira must be able to detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems, and information.
confidentiality
This involves ensuring that information is only accessible to those authorised to access it and therefore to preventing both deliberate and accidental unauthorised access to TRE Altamira information and proprietary knowledge and its systems including its network(s), website(s), extranet(s), and monitoring system.
and integrity
This involves safeguarding the accuracy and completeness of information and processing methods, and therefore requires preventing deliberate or accidental, partial, or complete, destruction or unauthorised modification, of either physical assets or electronic data. There must be appropriate contingency including for network(s), system(s), website(s), extranet(s) and data backup plans and security incident reporting. TRE Altamira must comply with all relevant data-related legislation in those jurisdictions within which it operates.
of the physical (assets)
The physical assets of TRE Altamira including, but not limited to, racks, server, laptops and personal computers, data cabling, smartphones, filing systems and physical data files.
and information assets
The information assets include information printed or written on paper as well as information stored electronically on servers, intranet(s), Cloud Services, PCs, laptops, mobile phones, and information transmitted electronically by any means. In this context, ‘data’ also includes the sets of instructions that tell the system(s) how to manipulate information (i.e., the software: operating systems, applications, utilities, etc).
of TRE Altamira.
TRE Altamira and such partners that are part of our integrated business and have signed up to our security policy must accept this policy and the requirement of ISMS.
The ISMS is the Information Security Management System, of which this policy, the Information Security Manual and other supporting and related documentation is a part, and which has been designed in accordance with the specification contained in ISO 27001:2013.
A SECURITY BREACH is any incident or activity that causes, or may cause, a break down in the availability, confidentiality, or integrity of the physical or electronic information assets of TRE Altamira.
3. RESPONSIBILITY FOR INFORMATION SECURITY POLICY
The Management is responsible for the secure information management system, in line with the evolution of the business and market context, evaluating any actions to be taken in the face of events such as:
- significant business developments;
- new threats compared to those considered in the risk analysis activity;
- significant security incidents;
- evolution of the regulatory or legislative context regarding the secure processing of information.