Information Security Policy
This page was last updated on 8th May 2024
Objectives
HashMove Inc (hereinafter “HashMove”) recognizes the paramount importance of securing its IT infrastructure and related assets, which include information, computer systems, network elements, and associated services. Effective and efficient security measures are essential for safeguarding these assets within the company’s facilities and operations. This policy is designed to ensure a secure IT environment at HashMove, thereby ensuring the confidentiality, integrity, and availability of information and its processing for the company, its customers, and other stakeholders. The policy statements herein are derived from the current business requirements and the risks posed by external and internal factors.
Scope
The Information Security Management System (ISMS) at HashMove encompasses a comprehensive range of IT services, including system integration, application management, software development, support, and consulting. It also includes in-house supporting activities such as facilities management, HR, legal, and IT services within all HashMove locations.
Applicability
This document outlines the high-level security policies applicable to all HashMove facilities and personnel, including those deployed on-site for project execution. These policy statements are further detailed in specific second-level policies, procedures, guidelines, and configuration documents relevant to various functions, departments, and processes. The policy applies to all information and IT assets owned or managed by HashMove. Information security is a collective responsibility, requiring the participation and support of every user dealing with information and/or information systems. This includes employees, contractors, consultants, temporary staff, interns, suppliers, partners, subsidiaries, and visitors, all of whom must comply with these information security policies and related documents when working for HashMove.
References
- ISO 27001:2018
- ISO 27001:2013
A. Security Organization
The security of information is an organization-wide responsibility, coordinated by the Information Security function. This function, comprising top executives and senior members from various departments (sales, presales, legal, IT, HR, admin, and finance), will promote and oversee information security initiatives. IT will maintain appropriate contacts with ISPs, telecommunications operators, and law enforcement to ensure prompt responses in case of security incidents.
B. Information and Asset Classification and Control
Every piece of information and IT asset, whether hardware or software, will have a designated owner and be classified according to the Information and Asset Classification Policy. Comprehensive and up-to-date asset lists for hardware, software, and information assets will be maintained. Movement of information and assets, whether electronic or physical, will be controlled and authorized.
C. Data Protection
All users must maintain the confidentiality of customer and HashMove business data, intellectual property, software code, and designs. This information should not be disclosed to unauthorized individuals. Access to customer information is strictly on a need-to-know basis within the project team, and sharing with other project teams or third parties requires explicit authorization from the project manager.
D. Access Management
Access to information and IT assets, both logical and physical, will be authorized based on roles, the need to know, and task performance requirements. Access will be monitored and controlled using appropriate authentication procedures. Proper records of access to confidential information, such as customer contracts and financial data, will be maintained.
E. Personnel Security
All new recruits will undergo thorough scrutiny and examination. Each user must sign a contractual agreement not to divulge sensitive or private information to unauthorized parties. Security responsibilities will be clearly defined and communicated. All users must participate in mandatory training and awareness programs on security and system usage responsibilities.
F. Acceptable Usage
All users must adhere to the security policy and related user guidelines. Each user is responsible for the security of information and IT assets under their control. Users will be held accountable for the ethical and appropriate use of these resources. Misuse may result in disciplinary action, including termination.
G. Physical Security
The safety of human life is of the highest priority. Systems will be in place to ensure safety in case of disasters, such as fire. Major client areas or server rooms will be physically segregated and access restricted. Physical security requirements will be considered in the design of new facilities.
H. Network Security
HashMove’s network and public websites will be secured against intrusions and failures that could compromise the confidentiality, availability, and integrity of information and assets. The network will be segregated from external networks using firewalls, and due care will be taken to protect customer networks from internal threats.
I. Computer and Network Management
All IT operating procedures and guidelines related to technical infrastructure elements and services will be formally documented.
Virus Protection: Effective anti-virus measures will be implemented across HashMove.
Email & Internet Services: Email services will be provided to employees and contractors for business purposes, with limited personal use acceptable. HashMove reserves the right to monitor communications in compliance with applicable laws.
Information & Software Exchange: Secure transmission of sensitive or critical information and software will be ensured through agreements with customers.
User Logs: Log files will be maintained where technically feasible.
Licensed Software: Only licensed software will be used, and users must comply with licensing agreements and copyright laws.
Change Management: All new applications, computer systems, or networks will be secured by default. Risk assessments and approvals are required for new deployments and modifications.
System Acceptance Testing: Requirements and criteria for acceptance of new information systems and components will be defined, documented, and tested before acceptance.
J. System Development and Maintenance
HashMove will secure its software development environment, ensuring that security is integrated into the development process. Proper change control procedures will be followed to ensure that software changes do not compromise security.
K. Business Continuity Management
HashMove’s Business Continuity Management System aligns with ISO 22301 standards. The policy and framework cover people safety, asset protection, environmental safety, and business continuity for both internal and external customers.
L. IT Outsourcing
Vendors providing outsourced functions must comply with HashMove’s information security policy. This requirement will be specified in vendor contracts, and respective function heads will ensure compliance.
M. Application Security
Applications developed or purchased for HashMove’s business will be secured to ensure the confidentiality, integrity, and availability of company information. Security will be considered throughout the software development life cycle.
N. Incident Management
A formal incident reporting and management procedure will be in place, detailing escalation levels. Users must not report or discuss incidents with unauthorized individuals. A formal process for reporting incidents to the press, clients, or security agencies will be established.
O. Purchase
IT products will be evaluated for security risks prior to purchase. No products will be purchased or used without approval from the Information Security function.
P. Risk Assessment
Continuous re-evaluation of risks to information and IT assets is essential. Risk assessments will be conducted annually or when there is a significant change in business operations. The criteria for evaluating risks will be based on their potential business impact.
Q. Compliance
HashMove will comply with all relevant laws and regulations related to information security. The Information Security function and top management will review the policy annually and incorporate necessary changes based on evolving circumstances.
Roles & Responsibilities
Security implementation and maintenance at HashMove are cross-functional responsibilities managed by the Information Security function, with ownership distributed across various functions and groups. The coverage chart specifies the functions/groups responsible for each policy element.
Policy Responsibilities
The security organization at HashMove is managed by the Information Security function, which oversees the implementation and coordination of security measures across the company. Information and asset classification and control are responsibilities distributed among IT for hardware and packaged software, the admin for facilities and equipment like AC and UPS, and data owners or function heads for information management. Data protection is a shared responsibility of data owners and all users, ensuring the confidentiality and integrity of sensitive information. Access management involves HR and admin for physical access controls, and data owners or IT for logical access, with strict authorization protocols in place.
Personnel security is managed by HR, ensuring all recruitments undergo thorough scrutiny and examination, and all users sign contractual agreements regarding sensitive information. Acceptable usage of information and IT assets is mandated for all users, holding them accountable for ethical and appropriate use. Communication and operation management, including virus protection and internet services, fall under the IT department's purview. Network security is also managed by IT, ensuring the protection of HashMove's network and public websites from intrusions and failures.
Software development and maintenance are the responsibilities of project owners and the development team, integrating security throughout the development process. Business continuity management involves the Assistant Director Customer Success, DevOps and engineering teams, respective functions, and the InfoSec function, aligning with ISO 22301 standards to ensure resilience and continuity of operations. IT outsourcing is managed by IT, admin, and the heads of functions outsourcing projects, ensuring vendors comply with HashMove's security policies.
Physical security is overseen by admin, ensuring safety in case of disasters and restricting access to secure areas. Application security is managed by application owners, ensuring the security of applications used for business operations. Incident management involves users, IT, admin, and the Information Security function, with formal reporting and management procedures in place. Purchases of IT products require evaluation and approval from function and project owners, ensuring security risks are assessed.
Risk assessment is conducted by risk owners and the Information Security function, re-evaluating risks continuously to adapt to the changing IT environment. Compliance with relevant laws and regulations is the responsibility of the Information Security function, users, and the legal function, with annual reviews of the information security policy to incorporate necessary changes based on evolving circumstances.
