ADEC GROUP INFORMaTiON SecURiTY AND CONTROLS



Similar documents
ISO Controls and Objectives

ISO27001 Controls and Objectives

ISO 27002:2013 Version Change Summary

Hengtian Information Security White Paper

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Intel Enhanced Data Security Assessment Form

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

INFORMATION TECHNOLOGY SECURITY STANDARDS

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Microsoft s Compliance Framework for Online Services

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Security Overview. BlackBerry Corporate Infrastructure

Information Security: Business Assurance Guidelines

Service Children s Education

INFORMATION SYSTEMS. Revised: August 2013

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

System Security Plan University of Texas Health Science Center School of Public Health

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Does it state the management commitment and set out the organizational approach to managing information security?

Supplier Information Security Addendum for GE Restricted Data

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Information security management systems Specification with guidance for use

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

DRAFT IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Communications and Operations Management Policy #2450

Autodesk PLM 360 Security Whitepaper

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

Application Development within University. Security Checklist

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Supplier Security Assessment Questionnaire

How To Manage Security On A Networked Computer System

Data Management Policies. Sage ERP Online

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

Music Recording Studio Security Program Security Assessment Version 1.1

Network Security Policy

Information Shield Solution Matrix for CIP Security Standards

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

University of Sunderland Business Assurance Information Security Policy

University of Aberdeen Information Security Policy

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Analysis of Information Security Management Systems at 5 Domestic Hospitals with More than 500 Beds

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Version 1.0. Ratified By

HIPAA Compliance Evaluation Report

FRAMEWORK. Continuous Process Improvement Risk, Information Security, and Compliance

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

ClickTale Security Standards and Practices: Delivering Peace of Mind in Digital Optimization

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Information Resources Security Guidelines

Third Party Security Requirements Policy

UCS Level 2 Report Issued to

VMware vcloud Air HIPAA Matrix

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Xerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk

Security Controls What Works. Southside Virginia Community College: Security Awareness

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Newcastle University Information Security Procedures Version 3

SNAP WEBHOST SECURITY POLICY

BEST PRACTICES FOR COMMERCIAL COMPLIANCE

Internal Control Guide & Resources

Cloud Contact Center. Security White Paper

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

Central Agency for Information Technology

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

IBX Business Network Platform Information Security Controls Document Classification [Public]

Estate Agents Authority

ULH-IM&T-ISP06. Information Governance Board

A Decision Maker s Guide to Securing an IT Infrastructure

TELEFÓNICA UK LTD. Introduction to Security Policy

Rotherham CCG Network Security Policy V2.0

CloudDesk - Security in the Cloud INFORMATION

R345, Information Technology Resource Security 1

John Essner, CISO Office of Information Technology State of New Jersey

Security and Privacy Controls for Federal Information Systems and Organizations

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition AH

Information Technology Security Procedures

1 Introduction 2. 2 Document Disclaimer 2

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Information Security Management. Audit Check List

INFORMATION SECURITY PROCEDURES

Client Security Risk Assessment Questionnaire

CONTENTS. Security Policy

Cloud Contact Center. Security White Paper

April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1. c Dines Bjørner 2006, Fredsvej 11, DK 2840 Holte, Denmark

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Retention & Destruction

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February Title: Information Security Policy

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

PCI Data Security and Classification Standards Summary

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges

Information Security Policy

Transcription:

ADEC GROUP INFORMaTiON SecURiTY AND CONTROLS

Rising To Global Information Challenges Information is your most valuable commodity today. As a global enterprise servicing a wide range of businesses, ADEC Group provides our clients and partners with fully secure systems that back up the delivery of your services and solutions. With many companies and governments facing increasing risks to information security, ADEC Group s Information Security Management System (ISMS) maintains an information technology structure that fully complies with international standards such as ISO, and other industry best practices. With access to certain industry certifications and accreditations, all ADEC Group companies are committed to adhering to recognized best practices. The Need for Information Security Fully certified under ISO 27001:2005, ADEC Group s ISMS ensures improved productivity and performance levels by: Minimizing fraud in internal and external transactional systems Increasing efficiencies by streamlining processes across the network Lessening vulnerability of internal ADEC Group systems to information risks, such as cyber-attacks, hacking, loss of data, etc. Implementing best practice methodologies (Information Technology Infrastructure Library) Reducing costs of access and compliance to IT standards Adhering to corporate governance through higher levels of transparency and accountability Establishing mechanisms for stronger oversight of internal and external information management procedures Improving and/or complementing internal and external risk management procedures ISO 27001:2005 Under this standard, ADEC Group is required to: Systematically examine the organization s information security risks; Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment; and Adopt an overarching management process to ensure that the information security controls continue to meet the company s information security needs on an ongoing basis. 02 ADEC Group Information Security Domains and Controls

ADEC GROUP* ISMS ADEC Group is fully compliant with industry standards and best practices: Relevant ISO and other industry certifications COMPLIANCE ISO 27001: 2005 - Information Security Management Systems (ISMS). Certified as of March 2007. ISO 14001: 2004 - Environmental Management System (EMS). Certified as of December 2009. ISO 9001: 2008 - Quality Management System (QMS). Certified as of November 2005. PCI DSS Payment Card Industry Data Security Standard. Certified in the United States since 2005. Security Policies Establishment of an Information Security Policy that conforms to all relevant laws, regulations and private certificatory requirements. Electronic Data Management System ADEC Group has developed a full suite of access management and control measures for its entire information network structure. This involves detecting, remediating and reducing unauthorized access and fraud. It also includes the cost of compliance across the different business units. ACCESS CONTROL Access Control Policy. Documents full compliance with business requirements for Access Control. User Access Management. Sets the rules for privilege management. User Responsibilities. Includes password selection and use. Network Access Control. Includes a system for external connection authentication. Operating System Access Control. Features secure log-on, use of utilities, session time-out. Application & Information Access Control. Includes sensitive system isolation. Mobile Computing & Teleworking *ADEC Group has access to the different certifications and accreditations described herein through the different member companies American Data Exchange, A-Plus English Online, ADEC Solutions, FirstCarbon Solutions and PharmaKPO. 03 ADEC Group Information Security Domains and Controls

ADEC GROUP ISMS ADEC Group s Business Continuity Management Plan is aimed at minimizing information systems and process disruption problems such as data losses, and ensuring the protection of information availability and business continuity at all times, based on a thorough risk assessment in which all possible causes of interruptions and corresponding mechanisms to address each have been identified. Business Security Planning: Departmental procedures for critical functions that are needed, including a communication and evacuation plan, contact information of relevant people, institutions and entities. Regular testing through desktop audits, confidence tests and back-up integrity tests. Power redundancies, Uninterrupted Power Supply (UPS), multiple generator sets. Three times redundant Internet Service Providers (ISP) with automatic switchover upon failure of primary connection. BUSINESS CONTINUITY MANAGEMENT Information Security Incident Management: Procedures for reporting and handling IT, physical security, non-it/ non-security and medical incidents. High-level Information Security Investigation Committee (ISIC) which is primarily responsible for addressing serious IT breaches. Consolidation and analysis of incident reports by Information Security Group (ISG). Emergency Response Planning Establishment of an Emergency Response Team. Procedures for emergency situations such as fire, severe weather, etc. Conduct and documentation of fire drills and evaluation exercises. Disaster Recovery Planning Procedures on recovery from IT-related disasters, such as internet connection failure, major power breakdowns, network virus outbreak, critical server crash. 04 ADEC Group Information Security Domains and Controls

ADEC GROUP ISMS To ensure accurate and secure operation of information processing facilities, ADEC Group s ISMS has thoroughly documented operating procedures to cover all significant system activities segregation of duties and change management procedures. COMMUNICATIONS AND OPERATIONS MANAGEMENT Operational procedures and responsibilities (documentation, change management, segregation of duties, separation of development, test and operational facilities). Third-party service delivery management. System planning and acceptance (capacity management). Protection against malicious and mobile code. Back-up. Network security management and media handling (disposal). Exchange of information (media in transit, electronic messaging, interconnection of systems). E-commerce services (web hosting). Monitoring (includes detection of unauthorized activities, audit logging, administrator and operator logs). Under ISO, security is an integral part of information systems and business processes. At ADEC Group, this is clearly managed through: INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE Security Requirements of Information Systems to ensure the documentation of business requirements for new information systems, as well as enhancements to existing systems. Correct processing in applications to prevent errors, loss, unauthorized modification or misuse of information in applications. Cryptographic controls (key management) to protect the confidentiality, integrity and authenticity of information by cryptographic means. Security of System Files to control the installation of software on operational systems, and minimize the risk of interruptions in or corruption of information services. Access to program source codes is also restricted. Security in Development & Support Processes (change management) to maintain the security of system software and information. Technical Vulnerability Management to reduce risks resulting from exploitation of published technical vulnerabilities. 05 ADEC Group Information Security Domains and Controls

ADEC GROUP ISMS To ensure that employees, contractors and third-party users are suitable and do not present risks of fraud, theft, or misuse of facilities, ADEC Group utilizes a full range of screening methods for new employees and processes to orient on-board employees on information security needs. Employee Screening Pre-employment - Thorough background and credit checks, as well as drug testing for all employees. Employment - Information security duties and responsibilities are specified in the employment contract. Employees sign non-disclosure agreements (NDA). Employees also undergo annual background and credit checks, as well as drug testing. Termination/ Change of Employment - Establishment of a resigned loop email account informing concerned departments of an employee resignation and corresponding revocation of logical system access (email account, usernames) and physical premise (ID card) entry. HUMAN RESOURCES SECURITY Secure Areas For our production facilities in Manila, Philippines: Fenced by a barb-wired perimeter wall with 24-hour on-duty security guards Premises monitored thru CCTV System with 120 day DVR retention Monitored by access level-based proximity card system Secured with in-house roving guards Visitors are escorted and issued color-coded IDs when inside the premises and are asked to sign NDAs whenever necessary For our production facility in Deposit, New York: Premises monitored through CCTV System with DVR retention of 90 days Monitored by access level-based proximity card system Visitors are escorted and issued IDs when inside the premises and are asked to sign NDAs whenever necessary Monitored by access level-based proximity card system Equipment Security Facilities support: Access Control procedure Temperature-controlled work areas Fire suppression mechanisms deployed such as extinguishers, fire/smoke detectors UPS and Automatic Volt Regulators (AVR) with built-in surge suppressors Structured cabling Regular preventative maintenance recorded and reviewed No storage device drives and USB ports disabled 06 ADEC Group Information Security Domains and Controls

ADEC GROUP ISMS Protection of organizational assets is a must, particularly for an IT-intensive operation. At ADEC Group: Organizational assets are maintained and monitored through the Asset Information Management System (AIMS). ASSET MANAGEMENT All software is certified to be licensed by Software Asset Management (SAM) which is endorsed by the Business Software Alliance (BSA). Information classification and labeling as per distribution, retention, disclosure and disposal. Establishment of data destruction policies and processes (disposal/crosscut shredding procedure, hard drive wiping through DBAN and if hard drive is unusable, it is physically destroyed beyond re-use). ADEC Group s overall administrative structure ensures the maintenance of a managed information security system, as well as Management s commitment to security. ORGANIZATION OF INFORMATION SECURITY For our office in Manila, Philippines: Information Security Manager reports directly to the Executive Office Establishment of System Monitoring & Compliance Department (SMCD) Membership in external organizations, primarily: Business Processing Association of the Philippines (BPAP) Information Technology Association of the Philippines (ITAP) For our office in Deposit, New York: Information Security Manager reports directly to the General Manager Establishment of Compliance Department 07 ADEC Group Information Security Domains and Controls

About ADEC Group Processing over 30 million transactions each month, ADEC Group works seamlessly to provide comprehensive services and solutions to help you reduce costs, optimize resource use, improve operational efficiencies and, for partners, generate new revenue streams. American Data Exchange Corporation Knowledge Processing Services With over 14 years experience in the high-value real estate industry, American Data Exchange continues to fulfill managed service requirements to increase efficiencies and improve clients overall business operations. Partnering with clients to develop and implement customized outsourced solutions including call center, insurance and closing/settlement services and superior back-office management support, AMDATEX, deploys certified best practices using the most advanced technology for digital data capture, character recognition, data conversion, database creation and arching for knowledge process services. A-Plus English Online Educational Online Language Learning Service A-Plus English Online provides different institutions access to the best online educational resources focusing on Chinese and English language proficiency. With world-class technology and a highly competent faculty, A-Plus English Online offers scalable, effective and dynamic online learning solutions around the globe to those who want to learn English as a second language. ADEC Solutions Business and Back Office Processing ADEC Solutions provides back office processing, saving you time and money, and helping you focus on more strategic activities. We provide customizable and tailor-made onshore and offshore solutions that are cost-effective, such as mailroom services, scanning and imaging, data capture and conversion, quality assurance and exception management, data and document storage, supply chain and research services for professionals in accounts payable, human resources, healthcare, banking, legal, insurance, retail and consumer products and services. FirstCarbon Solutions Environmental and Data Management Solutions FirstCarbon Solutions collaborates with you to balance profitability and sustainability through a unique combination of environmental consulting, software, and extensive back office information processing capabilities. We will help you eliminate inefficiencies and costs that contribute to an excessive use of resources across the supply chain and help you tackle the data for better decisionmaking and improved business performance. PharmaKPO Pharmaceutical and Healthcare-focused Solutions PharmaKPO partners with industry leaders like Zuellig Pharma to offer a wide range of services focusing on the pharmaceutical and healthcare industries. Our unique domain expertise will help you develop the solutions that will drive the highest value for your organization in a highly competitive industry whether it be simple data and document management spanning various functions across your business or specific solutions including patient chart scanning and medical records sorting and indexing. AGINFOSEC-0613A 08 ADEC Group Information Security Domains and Controls

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information