Information Security Management System – Information Security Policy
Information and information systems are critical to the efficient and effective operation of IFDS’ core business. As such, IFDS must strategically and tactically define operations to create, process, transmit, and store information (both electronic and paper format) in a manner that ensures its protection at all times. Therefore, information security cannot just be something that we do; it must be an organizational culture that is deeply embedded in all aspects of our business.
In order to protect the confidentiality, integrity and availability of our information, the IFDS Senior Management Team has approved an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2013.
Senior Management is committed to the IFDS ISO/IEC 27001:2013 information security model and approves this document, and supporting documents within the ISMS.
The Risk Management Committee and I, as Chief Security Officer, further endorse this Information Security Policy.
Dennis Gregoris Chief
October 30, 2020
This policy applies to International Financial Data Services (Canada) Limited (“IFDS”). It does not apply to International Financial Data Services Limited globally unless otherwise stated.
This policy applies to all employees (full-time, part-time, temporary, and casual) of IFDS. Unless otherwise specified in contractual agreements, offshore development, transfer agency operations, and other third parties are out of scope and governed by local polices and specific agreements.
Where appropriate, this policy governs information throughout its lifecycle, as well as information technology (IT) assets owned or leased by IFDS including, but not limited to, networks, applications, servers, endpoints, removable media, telephony (including mobile devices and fax), and the buildings and processing facilities owned or leased by IFDS where such information and IT assets are located.
ISO/IEC 27001:2013 is the standard adopted by IFDS to govern its ISMS. This standard identifies, manages and minimizes the range of threats to which information and IT assets can be subjected. It is designed to ensure the implementation of adequate security controls that protect IFDS’ assets and give confidence to interested parties including regulators and customers.
The ISMS contains 114 controls in 14 groups: Information Security Policies, Organization of Information Security, Human Resources Security, Asset Management, Access Control, Cryptography, Physical and Environment Security, Operations Security, Communications Security, System Acquisition, Development and Maintenance, Supplier Relationships, Information Security Incident Management, Information Security Aspects of Business Continuity Management, and Compliance. Each ISMS domain contains control objectives stating what is to be achieved and one or more controls that can be applied to achieve those objectives.
As part of the ISMS, IFDS has established a framework of controls, policies and supporting documents, which it reviews on an annual basis.
3. Roles and Responsibilities
Risk Management Committee (RMC) includes members of the IFDS Leadership Team and is responsible for ensuring that a continuous risk management process is operating effectively at IFDS. The RMC will:
- Review and approve this policy.
- At a high-level, oversee the structure of the ISMS.
- Ensure that information security objectives are compatible with the organization’s strategic direction.
- At a high level, assign the roles and responsibilities for developing, implementing and maintaining the ISMS.
- Ensure that there are sufficient resources to develop, implement and maintain a security program.
- Evaluate the various risk management approaches used to manage security risks.
- Review security incidents that have, or could have had, a significant operational impact on critical data or systems; or any security incidents that may have a significant negative impact on IFDS or its clients.
- Review significant security concerns arising from internal or external audits, regulatory or threat landscape, and review responses to those concerns to ensure areas of potential risk are addressed.
- Where necessary, report security-related incidents or risks to the Board of Directors, the Executive Committee, and/or the Audit Committee.
- Provide leadership with respect to information security awareness, education, and training.
Chief Security Officer (CSO) is accountable for the development, implementation and maintenance of the ISMS and associated security programs designed to manage risk and ensure compliance to the ISO standard.
Information Security Director is responsible for the development, implementation and maintenance of the ISMS and associated security programs designed to manage risk and ensure compliance to the ISO standard. This includes, but is not limited to:
- Defining and updating security controls that are consistent with industry best practice and enable IFDS to operate both securely and effectively.
- Providing advice and guidance on the implementation of security controls.
- Assessing and managing risks within the environment, including risks associated with third parties.
- Reporting on the performance of the ISMS.
Security Committee (SC) is a cross-departmental forum responsible for reviewing security controls and initiatives to ensure that security risks remain within a tolerable level. The SC will:
- Review the ISMS (and associated metrics) on a regular basis, and where appropriate, recommend opportunities for improvement.
- Ensure that the impact of security controls are considered against business objectives and priorities.
- Review internal and external issues that affect either the ISMS or the threat landscape.
- Review the results of security assessments and audits, and where necessary, provide feedback on remediation activities.
- Where required, review the status of remediation activities related to audit findings, client assessments, security assessments, penetration & vulnerability testing, and third-party vendor assessments.
- Regularly review information security incidents, and where possible, identify areas for improvement to prevent similar incidents in the future.
- Approve or deny all security exceptions.
- Review and approve security sub-policies and standards.
- Escalate significant security concerns to the RMC.
Compliance Officer is responsible for ensuring compliance with any law, statutory, regulatory or contractual obligations.
All Managers are responsible for ensuring:
- Direct reports have appropriate, authorized access to information and information systems, or have their access revoked when no longer required.
- Direct reports use information resources only for approved business purposes.
- Direct reports complete their required information security training.
- Direct reports are held accountable when they fail to execute their security responsibilities.
- Their business processes comply with all relevant security controls.
All Employees are responsible for:
- Understanding and complying with this policy and other applicable ISMS policies or mandatory supporting documents.
- Asking for clarification from their Manager or Information Security when they are unclear about a security-related responsibility.
- Immediately reporting all real or suspected security incidents.
- Completing all security-related training within the required timeframes.
The objectives of the ISMS and this policy are to:
- Continually strengthen internal controls to protect the confidentiality, integrity and availability of information owned, created, stored and/or processed by IFDS on behalf of its clients, affiliates, partners and employees, as well as IT assets owned or leased by IFDS.
- Effectively manage information security-related risks within the environment.
- Identify and respond to security incidents in a manner that minimizes impact on confidentiality, integrity, and availability of IFDS’ information and IT assets.
- Ensure that all employees and third-party resources understand and assume their security responsibilities.
- Enhance client, affiliate, stakeholder, market perception and confidence through demonstrable security controls that protect business investments and opportunities.
- Ensure compliance with information security-related regulatory and legal obligations.
5. Security Policy
IFDS’ core business relies heavily on information and information systems. It is imperative that these assets are appropriately protected against threats to its confidentiality, integrity, and availability. In order to do so, IFDS will:
- Define information security controls (which may consist of administrative, technical and physical controls) that align with business requirements, industry best practice, and legal, regulatory and contractual requirements.
- Regularly review information security controls to ensure compliance, suitability, and effectiveness.
- Continually identify and assess information security risks, and implement controls for the treatment and ongoing monitoring of such risks, including risks posed by third-party vendors.
- Classify and protect information according to its sensitivity.
- Control access to sensitive information and IT assets.
- Ensure that IFDS-owned applications are developed securely.
- Ensure that all IT assets (e.g., hardware, network, and endpoints) used by IFDS to create, access, use, or store information is secured.
- Establish a process to detect, respond to, and learn from security incidents.
- Regularly review, update and test business continuity plans to ensure that they address information security requirements.
- Provide information security education and training to all employees annually, in addition to ongoing awareness activities provided throughout the year; and ensure that third parties perform information security education and training that is equivalent to IFDS’ information security education and training.
- Ensure that all employees are aware of their information security responsibilities, and hold all employees individually responsible for unauthorized or inappropriate access, disclosure, disposal, modification, or use of information and IT assets owned or leased by IFDS.
Failure to comply with this policy or any mandatory supporting document may result in disciplinary action, up to and including termination of employment or contractual agreement.
7. References and Supporting Documents
Policy Effective Date: October 2020