Information Security High Level Policy
1.1 Objective
The objective of this policy is to protect the information assets of DOF from all threats, whether internal or external, deliberate or accidental, thereby ensuring uninterrupted services to Employees and Stakeholders and managing the risk to an acceptable level through the design, implementation, and maintenance of an effective Information Security Management system.
The document outlines the basic principles of protecting all the information assets of the Department of Finance. It makes all employees within DOF and relevant external parties aware of the potential security threats and associated business risks. policy statements with regards to:
A. The management intent and specific requirements for the information security program.
B. The requirements at various phases of the ISMS lifecycle to: Establish, Implement & Operate, Monitor & Review, and Maintain & Improve the ISMS.
1.2 Scope
The scope of this policy presents the minimum requirements for information security controls and applies to the Department of Finance, including but not limited to employees, consultants, contractors, outsourced, and visitors who are not government employees but are engaged with it through various means. Furthermore, the regulation applies to any government information regardless of its type and medium (e.g., printed, electronic, Non-electrical, written, etc.). Therefore, the Department of Finance (DOF) shall implement all applicable ISR regulations and ISO 27001:2013 controls in all the divisions/departments within and not limit the implementation to Information Technology (IT) divisions/departments only.
1.3 Policy Statement
DOF is steadfast in its commitment to securing and safeguarding the confidentiality, integrity, and availability of information essential for its business operations. Consequently, information security is vital to the smooth and prosperous operation of DOF.
This section explains the principles that need to be followed for the effective implementation and management of this policy.
1.4 Policy
1.4.1 Information Security High Level Policy
1. All information assets shall be used in a manner that supports the strategic goals and objectives of DOF.
2. All applicable legal and/or regulatory requirements pertaining to information security shall be addressed.
3. All information & information processing systems shall be identified, valued and classified to ensure adequate protection.
4. Develop and Maintain Information Security Risk Management methodology to assess Information Security risks.
5. Provide appropriate Information Security Training & awareness to all employees (permanent & contract employees).
6. Employees and vendors or third party contractors shall adhere to the information security policies, procedures, standards, guidelines etc. approved by the management of DOF.
7. Information shall be handled in a secured manner to avoid any loss of confidentiality, integrity, and availability during its creation, storage, processing, transmission and disposal.
8. Information and information processing systems shall be accessible to the authorized users as per their business needs.
9. Information and information processing systems shall be physically secured from any loss of confidentiality, integrity & availability.
10. All changes related to information and information processing systems shall be managed in a secured manner.
11. All information security incidents shall be reported and managed in a timely manner with proper escalation matrix defined for treating high severity incidents.
12. IT Business Continuity plans shall be defined implemented and tested adequately to ensure availability of information and information processing systems during any emergency.
13. The posture of information security shall be continuously reviewed and improved to ensure continuous adherence to this policy.
14. Employees and non-employees of DOF shall not attempt to bypass any of the information security controls.
15. Ensure compliance to applicable standard and regulations on information security e.g. ISO 27001:2013 and Dubai ISR.
Important Tips: Caution and Commitment Are Key to Information Security
It is common and easy to fake outward appearances to make scams successful; uniforms and business cards are cheap and easy to obtain, and email addresses, phone numbers, and even caller ID can be easily manipulated. Social engineers can simply use the real names of employees, suppliers, and service providers.
Therefore, everyone must be careful not to treat everything they receive as trustworthy. Individuals and their corporate authority should be verified, and information should be proved. This verification can be done in simple steps and may protect the employee from revealing sensitive corporate or personal details to social engineering attackers who use the principles of social psychology to influence behavior, and often initiate and continue to build relationships, and are generally skilled at what they do.
Tips to avoid falling victim to phishing and social engineering:
· Carefully examine any link you receive and compare it to the real link.
· Ask the unknown caller for an official landline number to verify their identity.
· Beware of any tempting/pressing, limited-time financial offers.
· Do not accept any free software or external storage devices from any unknown party.