| Reference: 01.21-32.48 | Version: 1.0 | Effective Date: Dec 20, 2018 | Revision Date: Jan 23, 2019 |
| Mortgage Planners – Threat & Incident Management Policy |
| OMAIN: THREAT & SECURITY INCIDENT MANAGEMENT | DOCUMENT TYPE: SECURITY POLICY |
| SECTION: SECURITY & COMPLIANCE |
Mortgage Planners
1 INTRODUCTION
This document was developed by TCPCOM and defines the requirements for “Threat Management and Response to Security Incidents” at Mortgage Planners.
2 GENERAL INFORMATION
2.1 Revision History
| Version | Date | Summary | Prepared by | Reviewed by | Approved by | Approval Date |
| 1.0 | 2018-11-20 | Initial version | Marc-andre Heroux | NA | NA | NA |
2.2 Related Documents
| Type | Security Requirements |
| Title | Mortgage Planners – Registry of security controls |
2.3 Information Security Responsibility
The senior management is responsible of the enforcement of the security policy. The security officer is responsible for ensuring the proper definition and implementation of the security policy.
3 SECURITY POLICY OBJECTIVE
3.1 Purpose of the security policy
According to the risk and impacts, adopting adequate security controls to protect the company and its business against threats. Preventive and detective controls should need implemented for this purpose.
Ensure effectiveness of information security procedures to minimize the impact of incidents and security breaches, and monitor and learn from such incidents in order to enhance the protection of informational resources.
3.2 Scope of Security Policy
This policy applies to all employees of Mortgage Planners, services providers and employees of third parties performing work related to information resources Mortgage Planners.
The scope of cyber assets is as follows: servers and network systems and security/utilities supporting business functions and operations.
3.3 Managing Information Security
The senior management must ensure that a security officer assists Mortgage Planners in defining and implementing effective controls to limit access to information according to roles, need to know and need to use. Processes, mechanisms and solutions to prevent the disclosure of information and to maintain the integrity and availability of informational resources must be defined and implemented.
3.4 Breach of Security Policy
An intentional or unintentional violation of policies, procedures or standards or security requirements of Mortgage Planners may be subject to disciplinary action and may result in termination of employment or contract and possibly civil/criminal justice prosecution.
Anyone suspected of a security breach or deviation will be treated fairly and a full investigation will be conducted to protect its legal rights.
3.5 Exceptions to the policy
Any exceptions related to this security policy must be approved by the senior management.
4 THREAT PREVENTION AND INCIDENT MANAGEMENT
4.1 Policy Statement
When possible, a control must be in place to prevent a threat. When a control can not prevent a threat, another control must be in place to detect and generate a security event.
Requirements must be defined regarding protection against malware (e.g. antivirus requirements for commonly affected systems) as well as for preventive controls (for example, network firewall, web application firewall, Intrusion Prevention System).
To support forensic and investigations, proper controls must be in place for logging and alerting. Controls need to detect abnormal/unauthorized events and generate an alert.
A process form managing security incident must be defined and applied.
Monitoring and alerts aspects from security monitoring systems must be defined and adopted to support security incident management.
4.2 Security Risks
When a threat is avoided, operations, cyber assets and solutions can adequately respond to business needs. When a threat is not prevented, it can have an impact on operations and even on the business. When a threat is not prevented, it is necessary to detect to take appropriate action, automatically or manually. Undetected threat keeps the system administrator (or responsible for information security) in a non-notified state and the the infrastructure, cyber assets and the information can be considered at risk.
If no clear incident management process is defined and applied with the supporting functions (e.g. logging, monitoring, alerting), then it would be difficult and sometimes impossible to detect and manage a security incident.
5 REPORTING SECURITY INCIDENTS
5.1 Policy Statement
All employees, contractors and third Mortgage Planners are required to immediately report all security incidents to Mortgage Planners as per defined process. For all potential security incidents or security incidents, management must be immediately notified.
5.2 Security Risks
Without early notification of security incidents, the risk of loss or misuse of infrastructure or informational resources as well as proprietary information of Mortgage Planners increases. Without being quickly informed of a security issue, it can be difficult to manage and resolve an incident.
Not reporting or not properly handling a security incident could also result in negative publicity and legal responsibilities for organizations.
Any delay in the reporting of an incident could impact on the ability to understand/identify the actual damage caused by the incident and being unable to perform the appropriate recovery actions.
6 REPORTING WEAKNESSES OF SECURITY
6.1 Policy Statement
All employees, contractors and third Mortgage Planners are required to immediately report any potential security weaknesses to the management.
6.2 Security Risks
Security holes and weaknesses may expose the facilities, infrastructure, information systems and confidential information of Mortgage Planners. It can increase the risk of unauthorized access or exposing the firm to malicious actions from internal and external threats. This could have negative consequences on the informational resources, operations, business and result in legal obligations and financial losses.
7 FAULT SYSTEM OPERATION
7.1 Policy Statement
Any abnormal behaviour of a Mortgage Planners electronic assets should be reported immediately (e.g. software bug, no response from the server, potentially unauthorized access, unavailability of the website, connectivity problem or access).
7.2 Security Risks
If a system malfunctions are not reported and treated promptly, Mortgage Planners’s infrastructure and informational resources may be threatened (e.g. unauthorized access, malware, unauthorized actions from internal/external threats).
A malfunction of the system could potentially affect the operation of the infrastructure of Mortgage Planners (efficiency, productivity and data integrity, for example).
8 LEARNING FROM INCIDENTS
8.1 Policy Statement
Mortgage Planners is responsible for operations, infrastructure and information resources and must ensure adequate mechanisms to quantify and monitor the types, levels and costs of security incidents.
8.2 Security Risks
Without having defined and maintained security incident measures, there would be no way to measure the impact of an incident. It would even be relatively difficult to identify recurring or significant incident or strengthen safety checks to avoid.
9 SECURITY TESTING
9.1 Policy Statement
Mortgage Planners is responsible of its operation and informational resources. The organization needs to ensure having defined and implemented a methodology for penetration testing activities.
Mortgage Planners must perform an external penetration testing at least once a year. It is also recommended to perform a penetration test when a significant change occurs in relation to a key asset within the scope of Mortgage Planners services infrastructure.
9.2 Security Risks
Without intrusion testing methodology defined and implemented, infrastructure and informational resources weaknesses could remain undetected and exploited by a threat agent for an extended period.
A weak system could potentially be exploited by a threat agent and have an impact on the operation of the infrastructure of Mortgage Planners (efficiency, productivity and data integrity, for example).
10 INTERNAL SPECIFICATIONS
10.1 Forensic
A procedure must exist and define the main actions to be followed in cyber investigation and forensics.