Customer-Facing Information Security Policy

Similar documents
Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Information Security Incident Response

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Fraud-Related Compliance

Information Security Program

Corporate Compliance and Ethics Program Effective as adopted on February 21, 2012

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Logging In: Auditing Cybersecurity in an Unsecure World

ISO Controls and Objectives

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Corporate Information Security Management Policy

Third-Party Access and Management Policy

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

VENDOR MANAGEMENT. General Overview

ANTI-FRAUD POLICY Adopted August 13, 2015

Contact: Henry Torres, (870)

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

UNIVERSAL INSURANCE HOLDINGS, INC. CODE OF BUSINESS CONDUCT AND ETHICS. Revised as of March 3, 2014

Microsoft s Compliance Framework for Online Services

TELEFÓNICA UK LTD. Introduction to Security Policy

<COMPANY> P01 - Information Security Policy

University of Pittsburgh Security Assessment Questionnaire (v1.5)

INFORMATION TECHNOLOGY SECURITY STANDARDS

SECURITY RISK MANAGEMENT

Managing data security and privacy risk of third-party vendors

Standards of. Conduct. Important Phone Number for Reporting Violations

PII Compliance Guidelines

Policy-Standard heading. Fraud and Corruption Policy

Code of Business Conduct

Evergreen Solar, Inc. Code of Business Conduct and Ethics

Managing General Agents (MGAs) Guideline

Network Security: Policies and Guidelines for Effective Network Management

CUBIC ENERGY, INC. Code of Business Conduct and Ethics

ISO27001 Controls and Objectives

COMPLIANCE PROGRAM GUIDANCE FOR MEDICARE FEE-FOR-SERVICE CONTRACTORS

Hans Bos Microsoft Nederland.

Mental Health Resources, Inc. Mental Health Resources, Inc. Corporate Compliance Plan Corporate Compliance Plan

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Information Security Management System (ISMS) Policy

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Client Security Risk Assessment Questionnaire

MEDICAID COMPLIANCE POLICY

Vulnerability Management Policy

Antifraud program and controls assessment grid*

Payment Card Industry Data Security Standard

CODE OF ETHICS AND BUSINESS CONDUCT

05.0 Application Development

Document Title: System Administrator Policy

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Business Conduct, Compliance and Ethics Program. important

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

A Flexible and Comprehensive Approach to a Cloud Compliance Program

FCPA 10 Hallmarks Self- Assessment

Information Security: Business Assurance Guidelines

PostNL Group Policy. on Fraud Prevention. PostNL Group Policy. on Fraud Prevention Page 1 of 15

Information Security Awareness Training

LIVING THE FIRMENICH FUNDAMENTALS EACH AND EVERY DAY

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

BYOD. opos WHAT IS YOUR POLICY? SUMMARY

Samsung Engineering Co., Ltd.

ELEMENT FINANCIAL CORPORATION CODE OF BUSINESS CONDUCT AND ETHICS

Data Protection Breach Management Policy

Credit Card (PCI) Security Incident Response Plan

STATEMENT FROM THE CHAIRMAN

North American Electric Reliability Corporation (NERC) Cyber Security Standard

16) INFORMATION SECURITY INCIDENT MANAGEMENT

HIPAA COMPLIANCE PLAN. For. CHARLES RETINA INSTITUTE (Practice Name)

White Paper: The Seven Elements of an Effective Compliance and Ethics Program

Security Controls What Works. Southside Virginia Community College: Security Awareness

Payment Card Industry Data Security Standards

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

PHI Air Medical, L.L.C. Compliance Plan

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

CLASSIFICATION SPECIFICATION FORM

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

WSFS Bank Center. 500 Delaware Avenue. Wilmington, Delaware ETHICS POLICY

CORPORATE COMPLIANCE PROGRAM

Fraud, Waste and Abuse

How to Protect Intellectual Property While Offshore Outsourcing?

PCI Compliance Overview

Revised 05/22/14 P a g e 1

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

Cloud Security Trust Cisco to Protect Your Data

INFORMATION SECURITY PROCEDURES

2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

Transcription:

Customer-Facing Information Security Policy Global Security Office (GSO) Version 2.6 Last Updated: 03/23/2015 Symantec Corporation

Table of Contents Compliance Framework... 1 High-Level Information Security Program... 2 Compliance... 2 Violations... 2 Audit of Third-Party Service Providers... 3 Ownership and Authority... 4 Document History... 5 Approval History... 5 Revision History... 5 Customer-Facing Information Security Policy ii Last Update: 03/23/2015

Compliance Framework Symantec is committed to the protection of the company s information technology, brand, intellectual property, personal information and customer data from misuse or compromise. This customer-facing policy defines how Symantec protects its assets and reputation from threats associated with misuse or compromise of information/data. This includes whether the threat is internal or external, deliberate or accidental in nature. All parties under the scope of this customer-facing policy must abide by the following core principles: Regulatory/Legal Compliance: The company shall achieve and maintain compliance with all applicable laws and regulations. Follow Industry Recognized Guidance: Symantec uses the following industry guidance in the development and review of company security requirements and controls: International Organization for Standardization (ISO) 27001:2005 and ISO 27002:2005. Payment Card Industry (PCI) Data Security Standard (DSS) National Institute of Standards and Technology (NIST) Special Publications (SP) The Open Web Application Security Project (OWASP) Protections based on information classification: Application of appropriate security controls is based on having managed information classified by category of information. Managed data and information is classified according to the potential risk and impact of exposure. Therefore, an information classification method will be utilized to determine the protection requirements for managed data. Managed data and information in higher risk classifications will have more stringent control requirements. Be accountable: Roles and responsibilities for access to managed data are defined, communicated and acknowledged to establish and maintain accountability for security within the organization. Integrate security within the business: Information security considerations are incorporated into all areas of the business so they are integrated into business processes and ongoing daily routines. This includes a continuous improvement approach to building in security controls within application or product development lifecycles. Foster a security culture: Management will promote a security-minded culture by providing ongoing education and awareness of security topics. A company information security program is responsible for ensuring ongoing education, awareness and administration of activities related to policy compliance. Manage security risk: Risks to information confidentiality, integrity or availability are actively managed. Threats and vulnerabilities must therefore be identified and risk potential must be assessed. Identified risks are documented, mitigated with internal controls, and reported to management in a timely manner. Measure and report: Adherence to the information security policy and program components is actively monitored, measured, and reported. Investigate and respond to incidents: Breaches of information security controls, actual or suspected, must be reported to management and the Global Security Office Incident Response Team in a timely manner. Each incident will be investigated thoroughly and credibly, consistent with industry best forensic and investigation practices. Responses to incidents will follow established guidelines. Customer-Facing Information Security Policy Page 1 of 5 Last Update: 03/23/2015

Maintain continuous business operations: Business operations are regularly evaluated to establish a hierarchy of critical functions and/or systems. Business continuity management processes are established to provide a framework for building resilience into operations and the capability for an effective response in the event of an operational incident. High-Level Information Security Program The Information Security Policy establishes the information security principles at Symantec, but does not detail every security control or technical requirement. Detailed security requirements are documented in other classes of documentation in a hierarchy that becomes progressively more specific. Symantec s Information Security Program consists of the following classes of documentation: Information Security Policy: defines information security management and governance requirements within the company and provides the principles for the Information Security Program. Security Standards: contain mandatory internal controls designed to provide the Information Security Policy with the support structure and specific directions it requires. Controls within the security standards are derived from the international security standard ISO 27001/27002. These may also be further detailed by requirements from the PCI DSS or NIST special publications as applicable. Security Methods: contain mandatory configuration settings derived from controls established in the security standards. These documents define configuration settings for a specific technology platform or application. Security Guidelines: provide advisory information and guidance to assist in the implementation of security controls. Guidelines do not establish controls and therefore contain no mandatory requirements. They serve as additional support in implementing the defined standards. Compliance All employees, contractors, consultants, service providers, partners, or entities acting on behalf of Symantec must adhere to this Information Security Policy. This is inclusive of all supporting standards in the Information Security Program. Before accessing or using Symantec resources, employees must review and agree to adhere to the Information Security Policy. Violations Any Symantec employee that violates the Information Security Policy may be subject to disciplinary action up to and including termination of employment. Additionally, any individual who violates this policy may be subject to civil penalties or criminal prosecution under applicable laws or government regulations. In addition to reporting incidents to management and Global Security Intelligence Operations (GSIO), policy violations or related misconduct should be reported to Symantec s Ethics Line. Where permitted, a report can be made anonymously. Retaliation against anyone who makes such a report in good faith is prohibited. Information systems will be regularly checked for compliance with security policies and standards. All areas within the company are subject to regular reviews to ensure compliance with security policies and standards. Customer-Facing Information Security Policy Page 2 of 5 Last Update: 03/23/2015

Audit of Third-Party Service Providers Where applicable, third parties must be engaged through the Vendor Management Program. Symantec non-public data may only be shared with third parties upon signing of a Non-Disclosure Agreement. GSO has the responsibility for audits of our third party capabilities to ensure compliance with all applicable Symantec information security policies. Where applicable, third-party service provisions in all master services or consulting agreements for outsourced services include a right to audit clause, allowing Symantec to audit that entity at will. Additionally, contracts require outsourced entities to provide Symantec a copy of its third-party audit report (e.g., ISAE 3402 audit report or SSAE 16 SOC report) where appropriate. The risks associated with access to the company s information systems by third parties must be continually assessed and appropriate security controls must be implemented. Customer-Facing Information Security Policy Page 3 of 5 Last Update: 03/23/2015

Ownership and Authority Title Organization/Authority Customer-Facing Information Security Policy Global Security Office Last Review Date 03/23/2015 Impacted Functions/Audience For questions about this standard, contact: Symantec Customers DL-IT-CustomerTrustOffice@symantec.com Customer-Facing Information Security Policy Page 4 of 5 Last Update: 03/23/2015

Document History Approval History Approver Version Date SGRC 2.6 03/23/2015 Revision History Change Reference Version Date Revision 2.0 draft 2.0 03/21/2013 Incorporated comments from internal SGRC review to draft v2. 2.1 04/05/2013 Incorporated comments from working group (Legal, ITS, HR, GSO safety & security) to draft v2.2 Incorporated comments from working group, extended reviewers (from Legal), and GSO management into draft v2.3 2.2 04/18/2013 2.3 05/13/2013 Revised for new nomenclature. 2.4 01/17/2014 Revised to be Customer Facing 2.5 07/22/2014 Reviewed information, updated content to reflect organizational changes, moved content to the new policy template, reviewed for minor grammar and style issues, and published. 2.6 03/23/2015 Customer-Facing Information Security Policy Page 5 of 5 Last Update: 03/23/2015

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information