Information Security

OVERVIEW and Policy Statement

Information and information assets of AC must be protected from all internal and external threats, deliberate or accidental. Information security policies, guidelines and procedures are developed and implemented to mitigate risks and to reduce the potential impact to the organization.  

This set of guidelines summarizes the Information Security Policy. This policy is put in place to continually strengthen and improve the Company’s information security and to ensure that information assets are protected from mishandling, improper usage and unauthorized access or disclosure.   

All policies regarding information security, standards, guidelines, and procedures are the responsibility of the Information and Communications Technology (AC-ICT) Department, for approval by senior management.

Physical Security to Control Information Access

1. AC management must ensure that access to every office, data center and AC work areas containing sensitive information must be physically restricted to prevent the entry of unauthorized personnel.  
2. AC management must restrict physical offices and workspaces (including data centers) from general access using locked doors that can be accessed and opened only by individuals who have been granted the necessary access. This can be operationalized with a biometric access system.  
3. The ICT Department must ensure all AC servers and network equipment are physically secured to prevent or minimize the possibility of theft.   
4. During non-working hours, employees must ensure that all information is secured and locked up if the workstation / work area contains sensitive information.  
5. Work desks must be clear and clean of media with sensitive information during non-working hours. 
6. Documents containing sensitive or confidential information must be stored in a manner in accordance with its information security requirements.  
7. Employees must lock their sessions every time they leave your workstation.  
8. IT equipment must note be removed from its primary location without proper authorization and approval from an appropriate level of management. 

Passwords and Need-to-Know

1. The ICT Department must ensure that all AC computers that store sensitive information must have a password-based a biometric access control system only to authorized personnel.  
   
2. Computer screens must go blank or into screensaver mode when computers are automatically locked after a defined period of inactivity.   
   
3. Classified, sensitive or confidential corporate data or information may only be transferred across networks, or copied to other media once it has been encrypted and password protected.  Passwords must not be sent in the same email as the document that has been encrypted with that password.  
   
4. Access to information and information systems should be granted only on a “need to know” and “need to use” basis only.  
   
5. Everyone must use difficult-to-guess passwords.  This means that passwords should be at least 8 characters long, with both upper and lower-case characters, not based on personal information, and have numeric digits and special characters if the system will allow.  
   
6. Passwords must be changed on periodic intervals or at any time based on its evaluation of risk and threat factors.  
   
7. Passwords should not be written in some readily decipherable form and left in a place where unauthorized persons might discover them.  
   
8. Never share nor reveal your passwords to anyone.  

Computer Viruses and Other Malware

1. The ICT Department will ensure that anti-virus, anti-spam, and other anti-malware defense systems are incorporated in the servers, network and client or standalone computers as may be deemed necessary. 
   
2. Employees should not abort authorized automatic software processes that update computer anti-virus and other software that can prevent malware attacks. 
   
3. If there is a suspected infection by a computer virus or malware, users must immediately stop using the involved computer and all other external disks or other digital storage media used with the infected computer.  The infected computer must also be immediately isolated from internal networks.  The incident must immediately be reported to the AC-ICT. 
   
4. Employees are not allowed not install and run unlicensed software. 
   
5. Employees are not allowed to copy software provided by AC to any storage media, transfer such software to another computer, or share such software with outside parties without advance permission from their supervisor and AC-ICT.

Protecting Information

1. The ICT Department must ensure that BitLocker is enabled for all company issued laptops and desktops.
2. Unless information is designated as unclassified, employees must protect all AC internal information from disclosure to third parties. When deemed necessary, the appropriate Non-Disclosure Agreement (NDA) shall be executed.   
   
3. Employees must notify immediately the Information Owner and AC-ICT if sensitive information is lost, is disclosed to unauthorized parties, or is suspected of being lost or disclosed to unauthorized parties. 
   
4. Unless authorized by the information owners to make public disclosures, all requests for information about AC and its businesses must be referred to AC Public Affairs department. 
   
5. Information about security measures for AC computer and network systems is confidential and must not be released to people unless authorized by AC-ICT Head.

Procurement

1. Ensure that all IT purchases of new system hardware or new components for existing systems are made in accordance with technical standards, information security and other company policies. 
   
2. AC management must make appropriate arrangements with software vendors for additional licensed copies when additional copies are needed for business activities. All software shall be acquired with the approval of AC-ICT.

Other Guidelines

1. Employees cannot represent AC in internet discussion groups, social media and in other public forums unless authorized to act in this capacity by senior management. 
   
2. On an annual basis, all employees are required to recertify that they have read and understood, and must agree to comply to AC information Security policies and guidelines.   
   
3. All employees are mandated to immediately report any and all suspected policy violations, system intrusions, virus and malware infestations, and other similar conditions that might jeopardize AC information and information systems to AC-ICT.

For any questions and clarifications, please contact the policy owner.