Corda Network Foundation Document history

Security Policy

1 Purpose

This document represents the “top level” information security policy for the Corda Network Foundation. It defines, in broad terms, the Foundation’s commitment to a program that will address information security (cyber) risk, and how it will organise itself to deliver that program.

2 Vision and Direction

The Foundation’s information security management program will define security objectives for the Foundation in terms of business goals, client requirements and the regulatory environment in which the Foundation and network participants operate.

The Foundation will identify and prioritise information risks, then address those risks with security controls that are aligned with its objectives.

A demonstrably effective security management program will allow the Foundation to engage with confidence with large and demanding network participants, and ensure that information security is not a barrier to participation in the Corda Network.

3 The Information Security Program

3.1 Program structure

The Foundation will implement an information security management program with three main components:

  • An information risk management program which will identify, assess and prioritise information security risks to the business. The program will produce an information risk register together with proposed activities to control the risks identified. Those activities will be assessed and prioritised in the light of the impact and likelihood of the risks they address, combined with cost of the control activities themselves. The output of this process will be a prioritised program of activities to establish and maintain a security posture that is aligned to the Foundation’s business objectives and attitude to risk.
  • An information security management capability that delivers the program of work defined by the information risk management program and carries out other major, or highimpact, security projects. The information security management capability will oversee the design and implementation of an information security management system (ISMS) for the Foundation. The ISMS will define such policies, procedures, standards and guidelines as are necessary to maintain the Foundation’s desired security posture.
  • A security operations capability, that monitors and maintains the Foundation’s security posture, provides a security incident response capability and executes smaller projects of limited impact. The security operations capability will operate the information security management system.

3.2 Information Security Organisation

Information security activities at the Foundation will be managed centrally by the Operator. A Chief Information Security Officer (CISO), or equivalent, will own information security issues at an executive level. The CISO will be supported by an Information Security Manager who will oversee the information security management program.

An information security committee will provide oversight and governance for information security program activities. The committee will support the information Security Manager in the assessment and prioritisation of information risk, the development of policies and standards, and will be responsible for ensuring that the ISMS meets the needs of the enterprise.

A security operations group will provide resources and oversight for security operations activities within the framework of the ISMS. Its members will be drawn from departments carrying out security-critical activities.

3.3 Education and awareness

The Foundation will implement a mandatory security awareness program, which will equip team members with the information necessary to understand the risks to the Foundation and client interests that result from the use of technology in the workplace. The security awareness program will also familiarise team members with the tools used by the Foundation to control those risks, including security policies, procedures and guidelines.

3.4 Incident response

The Foundation will implement and maintain an incident response capability to receive and respond to reports of actual or suspected information security incidents.

4 Relationship to Other Policies

As the overarching security policy for the Foundation, this document does not attempt to comprehensively address all security issues within the Foundation. The information security program will give rise to the creation of additional, issue-specific policies that address areas such as access control, business continuity planning and supplier management.

The information security function at the Foundation is responsible for defining and maintaining information security policies for the Foundation. Appropriate controls will be established to ensure these policies are fit for purpose and aligned with the Foundation’s security objectives