|Corda Network Foundation||Document history|
Organisation of Information Security Policy
This policy defines the governance structure for the conduct of information security activities by the Corda Network Foundation.
2 Control Objectives
The objectives of this policy are to ensure the effective governance of information security activities by the Foundation, such that:
- All members of the organisation understand their information security responsibilities.
- An effective security management program is established, that appropriately directs company resources to protect information assets and address current and emerging information security (cyber) risks.
3 Who Does the Policy Apply to?
This policy applies to employees and contractors, consultants, temporaries, and other workers at the Foundation. This group is referred to as “employees and associates” throughout this policy.
Information security controls and obligations placed upon external suppliers are addressed by a separate supplier risk management policy.
All employees and associates are required to implement the principles outlined in this policy and to carry out their responsibilities as defined.
5 Roles and Responsibilities
The Management Team
The Foundation management team holds overall responsibility for the protection of information assets at the Foundation. The management team will exercise this responsibility through its participation in the Information Security Committee and associated activities.
Chief Information Security Officer
The Chief Information Security Officer (CISO) provides management team sponsorship for the information security function and owns the information security issues at the executive level. The CISO role may be carried out by an appropriately qualified management team member. Information Security Manager
The Information Security Manager will develop and maintain an appropriate process to identify, assess, rank and manage information security risk to the Foundation. The Information Security Manager’s responsibilities include:
- Maintenance of the information risk register.
- Management of information security activities, including Security Management and Security Operations portfolios (see below) throughout the Foundation.
- Development and maintenance of the information security management system (ISMS).
- Delivery of such external security certifications or reports that are required by the business.
- Advising the CISO on operational security matters.
- Provision of a focal point for information security related issues and the provision of support and guidance to the business as required.
Information owners are Foundation team members with specific responsibilities for the protection of Foundation information or systems. Information owners understand the information in their area of the business and its usage. They are therefore responsible for operational decision making regarding the protection and use of that information. Information owners may participate in the Information Security Committee or Security Operations Group.
Employees and associates
Employees and associates are responsible for the day to day protection of Foundation information assets. In particular they are required to be aware of, and to abide by, the Foundation’s information security policies, and to maintain the controls appropriate for their individual area of responsibility. All employees and associates may be called upon to provide subject matter expertise to information security program activities as required.
The Information Security Program
The information security program includes the following main elements:
An Information Security Committee that defines and monitors the Foundation’s desired security posture and provides governance for the overall information security program.
A Security Management Portfolio that includes high level information risk and information security management capabilities as well as large security-related projects. The Security Management Portfolio is concerned with the implementation of the Foundation’s desired security posture.
A Security Operations Portfolio which includes the development and execution of specific security controls, incident response capabilities and the execution of small, self-contained security projects. The Security Operations Portfolio is concerned with the maintenance of the Foundation’s desired security posture.
A Security Operations Group that provide resources and expertise for the execution of the Security Operations Portfolio and monitors the performance of the Foundation’s security controls.
The Information Security Committee
The Information Security Committee will provide oversight and direction for the Security Management and Security Operations portfolios though Committee meetings and associated activities. The Committee will:
- Ensure that Information Security Program activities are appropriately prioritised and resourced
- Ensure that the program is supported by the whole organisation.
- Define a desired security posture that balances risk and return for the Foundation.
- Ensure that Security Management and Security Operations Portfolios are delivering the necessary controls to allow the Foundation to achieve its desired security posture.
- Propose, develop and approve new security controls and review existing controls where necessary.
- Consider of the impact of new security ideas, or changes to the security and regulatory environment in which the Foundation operates and propose new security controls as appropriate.
The Information Security Committee members will support the Information Security Management Program in general, and the Security Management Portfolio in particular, through:
- Championing information security activities within their own functional areas.
- Participating in Information Security Committee meetings and associated activities.
- Providing resources for information security program activities where necessary.
Members of the Information Security Committee will be drawn from appropriate functional areas of the business.
The Information Security Committee will have executive level sponsorship.
The Information Security Committee will meet at a frequency to be determined, but not less than biannually.
The Security Management Portfolio
The Security Management Portfolio is a collection of major security initiatives that either have foundation-wide impact, or that require significant resources to execute. The portfolio will be managed by the Information Security Manager and will include:
- An information risk management capability which will assess, rank and manage information security risks to the Foundation.
- Development of an information security management system (ISMS), a set of policies, procedures and controls that will protect Foundation information assets.
- Delivery of such external security certifications or reports that are required by the business. This may include activities such as ISO 27001 certification or SOC 2 type reports.
- Development and delivery of the security awareness program. Delivering appropriate training to those who need it.
- Major technical or organisational information security projects.
Oversight for the Security Management Portfolio will be provided by the Information Security Committee.
Performance metrics for the Security Management Portfolio will be developed and maintained by the Information Security Manager and presented to the Information Security Committee.
Security Operations Portfolio
The Security Operations Portfolio is a collection of ongoing operational security activities and smaller scale, short duration, projects. The Security Operations Portfolio will be managed by the Information Security Manager and will include:
- Implementation of the information security management system through the development and implementation of appropriate technical and procedural security controls.
- Security incident response capabilities.
- Security assurance activities including third party security testing.
- Information security input to other areas of the Foundation, including platform development and compliance.
- Research into emerging technologies, threats and vulnerabilities.
- Activities to support the delivery of external security certifications or reports as required by the Information Security Committee.
- Support for network participant vendor risk management reviews.
Performance metrics for the Security Operations Portfolio will be developed and maintained by the Information Security Manager, reviewed by the Security Operations Group, and presented to the Information Security Committee.
The Security Operations Group
The Security Operations Group will provide resources and governance for the Security Operations Portfolio and security “business as usual” activities. The group will ensure that:
- Operational security issues are assigned to parts of the foundation that are best placed to handle them.
- Security issues are tracked and resolved in a timely manner.
- Resourcing or scheduling issues are identified and conflicts resolved, wherever possible, at an operational level.
The Security Operations Group will be chaired by the IT Security Manager and will report to the Chief Information Security Officer (CISO).
The Security Operations Group may not have a fixed membership. The Information Security Manager will request the input of subject matter experts and information owners to resolve issues as and when necessary.
Department heads will be required to support the Security Operations Group through the allocation of subject matter experts to participate in group activities where required.
Issues assigned to a subject matter expert that cannot be reasonably handled as business as usual should be reported as such to the IT Security Manager. The security manager will attempt to resolve conflicts in consultation with the CISO and owner of the resources in question. This may include transfer of the issue from the Security Operations to the Security Management Portfolio.
The Security Operations Group will meet at a frequency to be determined, but not less than every two months.
Regular assessments are carried out for compliance against this policy. Any violation of this policy will be investigated and if the cause is found due to wilful disregard or negligence, it will be treated as a disciplinary offence. All disciplinary proceedings are coordinated through the Human Resources Department. the Foundation reserves the right to amend this policy at any time and will publish updated versions to all staff.