ADEC GROUP INFORMaTiON SecURiTY AND CONTROLS

Transcription

1 ADEC GROUP INFORMaTiON SecURiTY AND CONTROLS

2 Rising To Global Information Challenges Information is your most valuable commodity today. As a global enterprise servicing a wide range of businesses, ADEC Group provides our clients and partners with fully secure systems that back up the delivery of your services and solutions. With many companies and governments facing increasing risks to information security, ADEC Group s Information Security Management System (ISMS) maintains an information technology structure that fully complies with international standards such as ISO, and other industry best practices. With access to certain industry certifications and accreditations, all ADEC Group companies are committed to adhering to recognized best practices. The Need for Information Security Fully certified under ISO 27001:2005, ADEC Group s ISMS ensures improved productivity and performance levels by: Minimizing fraud in internal and external transactional systems Increasing efficiencies by streamlining processes across the network Lessening vulnerability of internal ADEC Group systems to information risks, such as cyber-attacks, hacking, loss of data, etc. Implementing best practice methodologies (Information Technology Infrastructure Library) Reducing costs of access and compliance to IT standards Adhering to corporate governance through higher levels of transparency and accountability Establishing mechanisms for stronger oversight of internal and external information management procedures Improving and/or complementing internal and external risk management procedures ISO 27001:2005 Under this standard, ADEC Group is required to: Systematically examine the organization s information security risks; Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment; and Adopt an overarching management process to ensure that the information security controls continue to meet the company s information security needs on an ongoing basis. 02 ADEC Group Information Security Domains and Controls

3 ADEC GROUP* ISMS ADEC Group is fully compliant with industry standards and best practices: Relevant ISO and other industry certifications COMPLIANCE ISO 27001: Information Security Management Systems (ISMS). Certified as of March ISO 14001: Environmental Management System (EMS). Certified as of December ISO 9001: Quality Management System (QMS). Certified as of November PCI DSS Payment Card Industry Data Security Standard. Certified in the United States since Security Policies Establishment of an Information Security Policy that conforms to all relevant laws, regulations and private certificatory requirements. Electronic Data Management System ADEC Group has developed a full suite of access management and control measures for its entire information network structure. This involves detecting, remediating and reducing unauthorized access and fraud. It also includes the cost of compliance across the different business units. ACCESS CONTROL Access Control Policy. Documents full compliance with business requirements for Access Control. User Access Management. Sets the rules for privilege management. User Responsibilities. Includes password selection and use. Network Access Control. Includes a system for external connection authentication. Operating System Access Control. Features secure log-on, use of utilities, session time-out. Application & Information Access Control. Includes sensitive system isolation. Mobile Computing & Teleworking *ADEC Group has access to the different certifications and accreditations described herein through the different member companies American Data Exchange, A-Plus English Online, ADEC Solutions, FirstCarbon Solutions and PharmaKPO. 03 ADEC Group Information Security Domains and Controls

4 ADEC GROUP ISMS ADEC Group s Business Continuity Management Plan is aimed at minimizing information systems and process disruption problems such as data losses, and ensuring the protection of information availability and business continuity at all times, based on a thorough risk assessment in which all possible causes of interruptions and corresponding mechanisms to address each have been identified. Business Security Planning: Departmental procedures for critical functions that are needed, including a communication and evacuation plan, contact information of relevant people, institutions and entities. Regular testing through desktop audits, confidence tests and back-up integrity tests. Power redundancies, Uninterrupted Power Supply (UPS), multiple generator sets. Three times redundant Internet Service Providers (ISP) with automatic switchover upon failure of primary connection. BUSINESS CONTINUITY MANAGEMENT Information Security Incident Management: Procedures for reporting and handling IT, physical security, non-it/ non-security and medical incidents. High-level Information Security Investigation Committee (ISIC) which is primarily responsible for addressing serious IT breaches. Consolidation and analysis of incident reports by Information Security Group (ISG). Emergency Response Planning Establishment of an Emergency Response Team. Procedures for emergency situations such as fire, severe weather, etc. Conduct and documentation of fire drills and evaluation exercises. Disaster Recovery Planning Procedures on recovery from IT-related disasters, such as internet connection failure, major power breakdowns, network virus outbreak, critical server crash. 04 ADEC Group Information Security Domains and Controls

5 ADEC GROUP ISMS To ensure accurate and secure operation of information processing facilities, ADEC Group s ISMS has thoroughly documented operating procedures to cover all significant system activities segregation of duties and change management procedures. COMMUNICATIONS AND OPERATIONS MANAGEMENT Operational procedures and responsibilities (documentation, change management, segregation of duties, separation of development, test and operational facilities). Third-party service delivery management. System planning and acceptance (capacity management). Protection against malicious and mobile code. Back-up. Network security management and media handling (disposal). Exchange of information (media in transit, electronic messaging, interconnection of systems). E-commerce services (web hosting). Monitoring (includes detection of unauthorized activities, audit logging, administrator and operator logs). Under ISO, security is an integral part of information systems and business processes. At ADEC Group, this is clearly managed through: INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE Security Requirements of Information Systems to ensure the documentation of business requirements for new information systems, as well as enhancements to existing systems. Correct processing in applications to prevent errors, loss, unauthorized modification or misuse of information in applications. Cryptographic controls (key management) to protect the confidentiality, integrity and authenticity of information by cryptographic means. Security of System Files to control the installation of software on operational systems, and minimize the risk of interruptions in or corruption of information services. Access to program source codes is also restricted. Security in Development & Support Processes (change management) to maintain the security of system software and information. Technical Vulnerability Management to reduce risks resulting from exploitation of published technical vulnerabilities. 05 ADEC Group Information Security Domains and Controls

6 ADEC GROUP ISMS To ensure that employees, contractors and third-party users are suitable and do not present risks of fraud, theft, or misuse of facilities, ADEC Group utilizes a full range of screening methods for new employees and processes to orient on-board employees on information security needs. Employee Screening Pre-employment - Thorough background and credit checks, as well as drug testing for all employees. Employment - Information security duties and responsibilities are specified in the employment contract. Employees sign non-disclosure agreements (NDA). Employees also undergo annual background and credit checks, as well as drug testing. Termination/ Change of Employment - Establishment of a resigned loop account informing concerned departments of an employee resignation and corresponding revocation of logical system access ( account, usernames) and physical premise (ID card) entry. HUMAN RESOURCES SECURITY Secure Areas For our production facilities in Manila, Philippines: Fenced by a barb-wired perimeter wall with 24-hour on-duty security guards Premises monitored thru CCTV System with 120 day DVR retention Monitored by access level-based proximity card system Secured with in-house roving guards Visitors are escorted and issued color-coded IDs when inside the premises and are asked to sign NDAs whenever necessary For our production facility in Deposit, New York: Premises monitored through CCTV System with DVR retention of 90 days Monitored by access level-based proximity card system Visitors are escorted and issued IDs when inside the premises and are asked to sign NDAs whenever necessary Monitored by access level-based proximity card system Equipment Security Facilities support: Access Control procedure Temperature-controlled work areas Fire suppression mechanisms deployed such as extinguishers, fire/smoke detectors UPS and Automatic Volt Regulators (AVR) with built-in surge suppressors Structured cabling Regular preventative maintenance recorded and reviewed No storage device drives and USB ports disabled 06 ADEC Group Information Security Domains and Controls

7 ADEC GROUP ISMS Protection of organizational assets is a must, particularly for an IT-intensive operation. At ADEC Group: Organizational assets are maintained and monitored through the Asset Information Management System (AIMS). ASSET MANAGEMENT All software is certified to be licensed by Software Asset Management (SAM) which is endorsed by the Business Software Alliance (BSA). Information classification and labeling as per distribution, retention, disclosure and disposal. Establishment of data destruction policies and processes (disposal/crosscut shredding procedure, hard drive wiping through DBAN and if hard drive is unusable, it is physically destroyed beyond re-use). ADEC Group s overall administrative structure ensures the maintenance of a managed information security system, as well as Management s commitment to security. ORGANIZATION OF INFORMATION SECURITY For our office in Manila, Philippines: Information Security Manager reports directly to the Executive Office Establishment of System Monitoring & Compliance Department (SMCD) Membership in external organizations, primarily: Business Processing Association of the Philippines (BPAP) Information Technology Association of the Philippines (ITAP) For our office in Deposit, New York: Information Security Manager reports directly to the General Manager Establishment of Compliance Department 07 ADEC Group Information Security Domains and Controls

8 About ADEC Group Processing over 30 million transactions each month, ADEC Group works seamlessly to provide comprehensive services and solutions to help you reduce costs, optimize resource use, improve operational efficiencies and, for partners, generate new revenue streams. American Data Exchange Corporation Knowledge Processing Services With over 14 years experience in the high-value real estate industry, American Data Exchange continues to fulfill managed service requirements to increase efficiencies and improve clients overall business operations. Partnering with clients to develop and implement customized outsourced solutions including call center, insurance and closing/settlement services and superior back-office management support, AMDATEX, deploys certified best practices using the most advanced technology for digital data capture, character recognition, data conversion, database creation and arching for knowledge process services. A-Plus English Online Educational Online Language Learning Service A-Plus English Online provides different institutions access to the best online educational resources focusing on Chinese and English language proficiency. With world-class technology and a highly competent faculty, A-Plus English Online offers scalable, effective and dynamic online learning solutions around the globe to those who want to learn English as a second language. ADEC Solutions Business and Back Office Processing ADEC Solutions provides back office processing, saving you time and money, and helping you focus on more strategic activities. We provide customizable and tailor-made onshore and offshore solutions that are cost-effective, such as mailroom services, scanning and imaging, data capture and conversion, quality assurance and exception management, data and document storage, supply chain and research services for professionals in accounts payable, human resources, healthcare, banking, legal, insurance, retail and consumer products and services. FirstCarbon Solutions Environmental and Data Management Solutions FirstCarbon Solutions collaborates with you to balance profitability and sustainability through a unique combination of environmental consulting, software, and extensive back office information processing capabilities. We will help you eliminate inefficiencies and costs that contribute to an excessive use of resources across the supply chain and help you tackle the data for better decisionmaking and improved business performance. PharmaKPO Pharmaceutical and Healthcare-focused Solutions PharmaKPO partners with industry leaders like Zuellig Pharma to offer a wide range of services focusing on the pharmaceutical and healthcare industries. Our unique domain expertise will help you develop the solutions that will drive the highest value for your organization in a highly competitive industry whether it be simple data and document management spanning various functions across your business or specific solutions including patient chart scanning and medical records sorting and indexing. AGINFOSEC-0613A 08 ADEC Group Information Security Domains and Controls