Information Security Policy
Gallus Insights - Information Security Policy
____
Security Policy for Gallus Infostructure
The Gallus infrastructure has been designed to be one of the most flexible and secure cloud computing environments available today.
It is designed to provide an extremely scalable, highly reliable platform that enables customers to deploy applications and data quickly and securely. This infrastructure is built and managed not only according to security best practices and standards, but also with the unique needs of the cloud in mind. Gallus uses redundant and layered controls, provided by Amazon WebServices, and other cloud computing providers, continuous validation and testing, and a substantial amount of automation to ensure that the underlying infrastructure is monitored and protected 24x7, all time. Gallus ensures that these controls are replicated in every new data center or service and for every cloud computing provider. All Gallus customers benefit from a data center and network architecture built to satisfy the requirements of our most security-sensitive customers. Data encryption standards and information security standards are applied. This means that you get a resilient infrastructure, designed for high security, without the capital outlay and operational overhead of a traditional data center. Gallus operates under a shared security responsibility model, where Gallus is responsible for the security of the underlying cloud infrastructure and you are responsible for securing workloads you deploy in Gallus Infostructure (Figure 1). This gives you the flexibility and agility you need to implement the most applicable security controls for your business functions in the Gallus Infostructure environment. You can tightly restrict access to environments that process sensitive data, or deploy less stringent controls for information you want to make public.
Infostructure Security at Gallus is the highest priority. As organizations embrace the scalability and flexibility of the cloud, Gallus is helping them evolve security, identity, and compliance into key business enablers. Gallus builds security into the core of our cloud infrastructure, and offers foundational services to help organizations meet their unique security requirements in the cloud.
As a Gallus customer, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. Security in the cloud is much like security in your on-premises data centers—only without the costs of maintaining facilities and hardware. In the cloud, you don’t have to manage physical servers or storage devices. Instead, you use software-based security tools to monitor and protect the flow of information into and out of your cloud resources.
An advantage of the Gallus Cloud is that it allows you to scale and innovate, while maintaining a secure environment and paying only for the services you use. This means that you can have the security you need at a lower cost than in an on-premises environment.
As a Gallus customer you inherit all the best practices of Gallus policies, architecture, and operational processes built to satisfy the requirements of our most security-sensitive customers. Get the flexibility and agility you need in security controls.
The Gallus Cloud enables a shared responsibility model. While Gallus manages security of the cloud, you are responsible for security in the cloud. This means that you retain control of the security you choose to implement to protect your own content, platform, applications, systems, and networks no differently than you would in an on-site data center.
Gallus provides you with guidance and expertise through online resources, personnel, and partners. Gallus provides you with advisories for current issues, plus you have the opportunity to work with Gallus when you encounter security issues.
Gallus uses current cloud computing providers such as Azure and AWS, and applies its standards to ensure information security is a must.
You get access to tens of tools and features to help you to meet your security objectives. Gallus provides security-specific tools and features across network security, configuration management, access control, and data encryption.
Finally, Gallus environments are continuously audited, with certifications from accreditation bodies across geographies and verticals. In the Gallus environment, you can take advantage of automated tools for asset inventory and privileged access reporting.
Benefits of Gallus security
Keep Client’s data safe — The Gallus infrastructure puts strong safeguards in place to help protect your privacy. All data is stored in highly secure Gallus data centers.
Meet compliance requirements — Gallus manages dozens of compliance programs in its infrastructure. This means that segments of your compliance have already been completed.
Save money: —Cut costs by using Gallus data centers. Maintain the highest standard of security without having to manage your own facility
Scale quickly — Security scales with your Gallus Cloud usage. No matter the size of your business, the Gallus infrastructure is designed to keep your data safe.
Document’s Objectives
This policy applies to all users of information assets in the Gallus as defined in the ISMS scope. The responsibility for protecting a company's resources is the responsibility of all the employees.
This policy covers all Information Systems operated by Gallus or contracted with a third party by Gallus . The term Information Systems defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. desktop, network devices, and wireless devices), software and information.
Although this policy explicitly covers the responsibilities of users, it does not cover the matter exclusively. Other Gallus Information Security policies, standards and procedures define additional responsibilities. All users are required to read, understand and comply with other Information Security policies, standards and procedures. If any user does not fully understand anything in these documents, he/she should contact the ISMS Team and HR Team. Information Security (IS) and the concerned department/division units shall jointly resolve any conflicts arising from this policy.
Policy Statement
Gallus shall adopt a risk-based approach to protecting its critical information assets and client confidential information from likely and high-impact threats, and shall embed information security principles into the organizational culture making it the responsibility of each and every employee to ensure that a robust information security structure is maintained.
Main Objectives
This policy states the intent of Gallus to identify and protect its critical information assets. The principles of security adopted by the company are:
1. Confidentiality: Information should be accessible only to authorized personnel
2. Integrity: Information should be modifiable only by authorized personnel
3. Availability: Information should be made available to personnel who need it
The risks to information and infrastructure come from many sources - users, vendors, hackers, intruders, and ex-employees. The risks from viruses and worms continue to be ever-present. In addition, Business Continuity and Disaster Recovery (BCP/DRP) plans are essential requirements, which need to be implemented in the event of any disaster so that the business critical functions continue to operate and the entire operations are recovered from the disaster within an acceptable period of time.
In such a scenario it is the responsibility of each and every employee to protect the information of the company and its customers. All processes and procedures followed within the company are also very critical and need to comply with the adopted information security principles.
Document Description
It is the responsibility of all the company’s employees, and vendors to comply with this policy and other associated security policies. The information security team is responsible for reviewing and updating this policy as and when required and /or at least once every year.
Security Awareness
It is important to implement security awareness initiatives at all levels of the organization, including senior management, middle management, team leaders, and head of the departments, support staff, and any third parties.
The information security awareness sessions will be an ongoing initiative which will ensure that all the employees and contractors are aware of the information security policies that are relevant to them. In addition, all the procedures, guidelines, and information security best practices in conjunction with other laws, regulations, and management best practices as adopted by the company.
Online annual information security awareness will be done in addition to awareness session for new joiners during onboarding and induction by respective HR
Competence
The company shall ensure that the employees and contractors in the scope of ISMS have appropriate skills and competence to do so and maintain the records of the same .
Monitoring and Action Plan
In addition to maintaining the information security management system, it is imperative to monitor and measure its ongoing efforts and results as well. There will be a detailed documented process to identify metrics for specific controls implemented in the company and which will also identify techniques for implementing and reviewing measurements of the identified metrics. The inputs and outputs to the measurements will be reviewed on a regular basis.
Continual improvement and implementations
A Gallus’ policy about continual improvement is to:
· Continually improve the effectiveness of the ISMS
· Enhance current processes to bring them into line with good practice as defined byISO/IEC 27001 and related standards
· Achieve ISO/IEC 27001 certification and maintain it on an on-going basis
· Increase the level of proactivity about information security
· Make information security processes and controls more measurable to provide a sound basis for informed decisions
· Review relevant metrics periodically to assess whether it is appropriate to change them, based on collected historical data
· Review ideas for improvement at regular management meetings to prioritize and assess timescales and benefits
Review
The Corporate Information Security Policy, as well as the other security policies must be periodically reviewed. This review will happen under the following circumstances:
· Once every 12 months
· If there is a significant change in the technologies in use by the company
· If there is a significant change in the external threat environment, which mandates a review of the risk profile
· If there is a significant change in client requirements/guidelines for information security
Communication
· The Information Policy will be disseminated to all the employees and contractors using email.
· All communication related with stakeholder’s media and financial markets will be done by the executive team only on a need basis over press events, conferences, emails. No employees of the organization until authorized by Bernardo Loitegui can connect with media or financial markets
· All employees in their daily work, should operate as representatives and ambassadors of the company and are authorized to speak with clients in alignment with their project and KRA. Inside information shall be kept confidential
· Information on Gallus website shall be uploaded post approval of Bernardo Loitegui in line with executive committee agreement
· Communication with internal and external stakeholders must be inline with organization stance and strategy and will be done on situation basis Bernardo Loitegui are authorized to communication with external stakeholders in line with contractual requirement
· When speaking at conferences, the presentations should be checked with Bernardo Loitegui.
Enforcement
Necessary disciplinary action will be taken against any employee not following the policies and procedures laid down by the company. Similarly, action will be taken against those employees encouraging/observing such an activity and not reporting the same to the concerned authority. Any employee found to have violated this policy may be subject to disciplinary action.