Information security policy

Rapid Information Systems is committed to protecting all information with the highest standards of security, confidentiality, and integrity. Through strict policies, secure systems, and continuous monitoring, we ensure data is safe, reliable, and resilient for our clients and operations.

Information security policy
Photo by FlyD / Unsplash

Rapid Information Systems/Information security policy

1. Information security policy

1.1 Introduction

Rapid Information Systems is committed to providing the highest level of confidentiality, integrity, and availability of information and related assets by:

  • Protecting them from all threats using reasonably practical measures.
  • Ensuring continual improvement in business continuity of its services and related operations.
  • Monitoring, regularly reviewing, and continually improving information security management.
  • Ensuring that ISMS is implemented within the legal framework of local and central governments.

1.2 Purpose

It is vital to the Rapid Information Systems reputation, operation, and financial wellbeing that company information assets contain controls to ensure confidentiality, integrity, and availability. These controls must protect the organization's information assets, and the business processes they support, against unauthorized use, disclosure, transfer, modifications, or destruction, whether accidental or intentional or the denial of availability of these assets or business processes to legitimate users.

The intention of the Rapid Information Systems IT policy, standards, and procedures are to support the Rapid Information Systems information security policy enacted by Rapid Information Systems to ensure the establishment of procedural, technical, and physical safeguards that will be utilized by Rapid Information Systems to protect sensitive information from unauthorized access, disclosure, corruption, or destruction. Rapid Information Systems policy, standards, and procedures will be based upon established industry best practices and internationally recognized information security standards which include ISO 27001.

The Rapid Information Systems information security policy will apply these controls to all information that it stores, processes, or transmits for business, statutory, or regulatory functions on behalf of Rapid Information Systems, Rapid Information Systems customers, or Rapid Information Systems third parties.

1.3 Scope

This Rapid Information Systems information security policy contains a series of common requirements across the Rapid Information Systems business, third-party vendors, and contractors. All employees, contractors, part-time and temporary workers, and those employed by others to perform work on company premises or granted access to company information or systems are covered or required to adhere to this policy.

1.4 Roles and responsibilities

The senior-level management team serves as the authorizing officials for assessments of all Rapid information systems. These individuals must authorize the information system for processing before commencing operations.

They are responsible for:

  • Providing vision and leadership for developing and implementing information security that aligns with the mission of Rapid Information Systems.
  • Directing the planning and implementation of enterprise IT and Security in support of Rapid Information Systems business operations to assure the confidentiality, availability, and integrity of the information utilized by Rapid Information Systems.
  • Participating in strategic and operational governance processes of Rapid Information Systems as members of the senior management team.
  • Developing and maintaining an appropriate information security structure that supports the needs of the business.
  • Ensure the security policy is frequently reviewed and updated as needed to ensure compliance.

1.5 Compliance, enforcement, and sanctions

Audits of compliance with this standard shall be performed regularly. Such audits shall be performed by an authorized employee of Rapid Information Systems or by an outside individual or firm at the discretion of management.

Users are required to observe and follow the policies, standards, and procedures of Rapid Information Systems at all times. Non-compliance with the security policies and standards may result in disciplinary action, up to and including termination of employment, unless prohibited by applicable law.

2. Policy

Where possible, all Rapid Information Systems governance policy documentation will address the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance per ISO 27001 guidance.

Rapid Information Systems shall ensure that all policies, procedures, standards, and guidelines are created and maintained by the appropriate responsible party. All IT Security Governance documentation shall be reviewed and updated annually or upon significant organizational change. Where possible, procedures should be developed to directly facilitate the implementation of the policy and the associated technical controls.

This information security policy document should state management commitment and set out Rapid Information Systems' approach to managing information security. Rapid Information Systems ensures information security in all categories. To ensure Security, Confidentiality, Integrity, and availability Rapid Information Systems have these policies which are mentioned below.

2.1 Network security

  • The system shall use password-based authentication.
  • The system supports multi-level system access and 2-factor authentication.
  • The system shall support multiple login sessions and authentication concurrently, and each session shall be protected from each other.
  • The system shall have strong security rules for user registration and updating passwords.
  • The system shall have a time limit of 30 minutes for logging sessions when the user leaves the system unused.
  • The system shall keep historical records(logging) of events and processes executed in or by an application.
  • Database access is provided according to the access rights defined in the access control policy.
  • Confidential information must be stored in Amazon AWS that has limited access and only can be accessed by authorized users.
  • The system shall ensure business user accounts cannot be administrator accounts and vice versa.
  • The user accounts shall possess privileges within the application to perform their responsibilities. However, the privileges must be limited.

2.2 Data security

  • To ensure the confidentiality of Rapid Information Systems by using the services of office 365.
  • Also complying with Data in transit via Azure Information Protection Premium P1 which enables classification and protection of our M365 Outlook data.
  • To manage database access tightly with the principle of least privileges; limited access rights are given to the people.
  • Database is protected from the threats such as Excessive and unused privileges, Privilege abuse, SQL injection, Poor auditing records, Storage media exposure, Denial of service, and Malware by applying security controls.
  • Audit and monitor the database activities by reviewing logs regularly to detect anomalous activity.
  • Database auditing is done at these levels: Access and authentication auditing, User and administrator auditing, Security activity monitoring, Vulnerability, and threat auditing, and change in auditing to minimize the attacks on the database.
  • Data will be backed-up regularly and backup data shall be stored in Microsoft SQL Server and Amazon AWS.
  • The system shall ensure all data protected by the application has consistency (either create a new and valid state of data or return all data to its state before a transaction was started).

2.3 System security

  • The system Implements a security policy that specifies who may have access to each specific system resource and the type of access that is permitted in each instance.
  • An auditing function monitors and keeps a record of user access to system resources.
  • The system has been protected by firewall to enforce the security policies on the incoming and outgoing traffic on the network.
  • Identified security needs of the system by removing unnecessary services, applications, protocols, configuring users, groups, permissions, and configuring resource controls.
  • System shall use compile-time and run-time defence to avoid buffer overflow attacks.
  • There should be sufficient security controls in place to keep the application safe without hiding core functionality or source code.
  • Separation of duties can be used to prevent individuals from acting fraudulently.
  • The system shall always check the validity of data that third-party services send and not give those services high-level permissions within the system.
  • The system failure (loss of database connection, incorrect information input by user) shall occur securely.
  • The system shall have multiple security control layers for the authentication process for user access.
  • Processes communication between the kernel and user interface must be protected by defining the privileges at every level of the 3-tier architecture.