Security Organisation

Information Security Infrastructure

Allocation of Information Security Responsibilities

The purpose of this policy is to protect all of the information assets within CX Index by allocating specific responsibilities for all such assets.

The Senior Management is responsible for the overall application of the Information Security policies.

Each asset will have an “owner”, who may delegate responsibilities, but remains ultimately responsible for the asset(s).

The asset owner will:

• Identify and define all security processes for their asset(s);
• Document all security processes on their assets; and
• Clearly define and document all authorisation levels of their assets

Authorisation Process for Information Processing Facilities

The purpose of this policy is to protect all of the information assets within CX Index by authorising any new information facility for purpose and use, compatibility of hardware and software, and security of personal information in the facility.

The authorisation process for new Information Processing facilities requires that the Senior Management (or the designated representative) perform a risk assessment prior to authorising a new Information Processing facility.

The results of the risk assessment will be incorporated to establish additional controls by CX Index.

Specialist Information Security Advice

CX Index may obtain the services of outside security experts, as necessary, to protect the information assets within CX Index by co-coordinating in-house knowledge and experiences to ensure consistency, provide guidance in decision making, and assess the overall effectiveness of CX Index’s Security policy.

All use of outside security experts shall be coordinated with the Senior Management before such experts are employed by CX Index in any capacity.

Cooperation between Organizations

All contact and cooperation with third parties on security matters will be coordinated through the Senior Management or a designated appointee of the Senior Management.

The purpose of this policy is to protect all of the information assets within CX Index as soon as a security incident is detected by maintaining contacts with law enforcement authorities, regulatory bodies, information service providers and telecommunication operators.

The Senior Management shall maintain a list of contacts with:

• The law enforcement community
• The regulatory community
• Information service providers
• Telecommunications operators

The Senior Management should also maintain contact with security forums and other notification agencies.

Sending Information to Third Parties

Before any confidential information is passed to any third party organisation, authorisation shall be received from the Senior Management that will include who will contact the third party, who will be contacted, and what information will be shared.   Appropriate non-disclosure agreements must be in place with any non-law enforcement agency before information is shared with that agency.

Security of Third Party Access

Identification of Risks from Third Party Access

The Senior Management will control authorisation for types of access to information processing facilities by third parties based upon the reasons for that access.

A risk assessment will be carried out before any third party access is granted and will consider the reasons for access as well as the necessary controls to be put in place.  

Security Requirements in Third Party Contracts

The Senior Management will control authorisation for types of access to information processing facilities and CX Index information by third party contractors.

Any disclosure of confidential information to consultants, contractors, temporary employees, or any other third parties shall be preceded by the receipt of a signed CX Index non-disclosure agreement (NDA).  This is in addition to any other applicable security policies or documents.

Access by third party contractors will be specifically agreed upon and documented in contracts. Please refer to the Third Party Management Policy for details.

Outsourcing

Security Requirements in Outsourcing Contracts

The security requirements for CX Index outsourcing the management and control of all or some of its information systems, networks and/or desktop environments should be addressed in a contract agreed between the parties.

The contract should address, where possible:

• How the legal requirements are to be met, e.g.  data protection legislation, U.S. Safe Harbor;
• What arrangements will be in place to ensure that all parties involved in the outsourcing, including subcontractors, are aware of their security responsibilities;
• How the integrity and confidentiality of CX Index’s business assets are to be maintained and tested;
• What physical and logical controls will be used to restrict and limit the access to CX Index’s sensitive business information to authorised users;
• How the availability of services is to be maintained in the event of a disaster;
• What levels of physical security are to be provided for outsourced equipment;
• The right of audit

The contract should allow the security requirements and procedures to be expanded in a security management plan to be agreed between the two parties.