Introduction
Définitions
Definitions of the various terms used in this policy and other related documents are available in the information security glossary.
Objectives
This document constitutes Boscoville’s Information Asset Security Policy, hereinafter referred to as the “Policy”. This Policy establishes the practices necessary to comply with various legal and administrative obligations and to protect all information assets and prevent potential security incidents, including fraud, information leaks, computer attacks, accidental errors, deliberate actions and privacy breaches. By implementing this Policy, Boscoville protects its assets and mitigates the risks associated with the confidentiality, integrity and availability of information.
Scope
This policy applies to all information assets held by Boscoville, including information collected in the course of contractual, regulatory and legal activities.
For the purposes of this Policy, and without limitation to the above, Boscoville’s stakeholders include its employees, directors, subcontractors, suppliers, customers and partners.
Commitment of the Board of Directors
This Policy is part of a context of prevention and information security awareness. In order to achieve this, the collaboration of all stakeholders is essential. The Board of Directors is committed to taking all necessary means to support the actions that need to be taken to implement the Policy, as well as the associated guidelines.
Policy and Supporting Security Guidelines Ownership
This Policy and the various associated security guidelines are the responsibility of the Information Security Officer. The Information Security Officer is responsible for its maintenance, revision and communication.
Monitoring and Control of Information Security Activities
In order to monitor its risk exposure, Boscoville must have a monitoring infrastructure and processes in place. This must enable the effectiveness of its protection methods, processes and mechanisms to be monitored on an ongoing basis, and to be improved in line with changes in the risks faced by Boscoville..
Boscoville reserves the right, without prior notice, to monitor any information assets and any information held, processed and executed on its systems and mobile devices. This privilege must always be exercised in compliance with the law and when reasonable grounds recommend it.
Consequences
Failure to comply with this Policy or the associated security guidelines may result in Boscoville withdrawing access rights, terminating employment or contract, as well as applying disciplinary or legal measures. Any stakeholder who becomes aware of non-compliance with or omission from this Policy must inform their manager or the person responsible for information security.
Policy Compliance
The guidelines must be applied in support of Boscoville’s business needs and must never become a constraint that does not add value or that prevents Boscoville from offering its services to its customers.
In view of the above, it is possible that, in the normal course of operations, specific situations may make it impossible to comply with certain information security requirements. In such a context, a clear procedure for managing non-compliance with security requirements is necessary to ensure that they are properly analyzed, approved and followed up.
General Principles
Internal Organization
To ensure effective management of information security within Boscoville, it is important to define the structure supporting the planning, development, implementation and control of security measures. The Management Committee is responsible for ensuring that this organizational structure is defined and implemented.
Risk Assessment and Management of Information Assets
In addition to corporate risk management, security measures are based on Boscoville’s assessment, periodic analysis and treatment of risks relating to the confidentiality, integrity and availability of information.
A risk assessment must be carried out before acquiring new systems or making any changes likely to have an impact on the security of Boscoville’s information assets. In all cases, this assessment must be documented following a defined process.
Human Resources Security
Boscoville shall establish human resources security processes to reduce the risk of human error, theft, fraud or misuse of Boscoville’s information assets before hiring, during employment and after departure.
Management of Information Assets
In order to implement and maintain appropriate protection, each information asset must be inventoried and assigned to an owner who is aware of its value and importance to Boscoville. The owner will establish its classification according to its value and importance to Boscoville in order to establish an appropriate level of protection.
Controlling Access to Information Assets
- “Need-to-know” principle: Information should only be disclosed to those who need it to perform their duties, and in accordance with legal and regulatory requirements.
- Access Management: Access management must be carried out according to formal, agreed processes and procedures, and communicated to concerned individuals.
- When a user changes position (including layoff, transfer, promotion or long-term leave), their manager must review their access. Owners, in collaboration with the person responsible for information security, must ensure that a periodic review of user accounts is carried out.
- Access Controls: Any information asset that holds information not classified as public must have an active authentication mechanism to ensure that this information is not improperly disclosed, modified, deleted or made unavailable. Users must have a unique identifier and must not share it under any circumstances.
Physical and Environmental Security
All information assets must be protected by physical security measures in accordance with their level of security, the associated risks and their value to Boscoville.
Access to offices and computer rooms containing information not classified as public must be physically restricted by an appropriate security mechanism.
IT Operations Management and Telecommunications
Unless designated as public, all information must be protected against unauthorized disclosure to third parties. Third parties may have access to information not classified as public only if a need has been demonstrated and if such disclosure has been authorized by the owner or by law.
System Acquisition, Development and Maintenance
The security requirements to be met when acquiring, developing, implementing and maintaining an information asset must be determined. Security requirements must take account of technological developments and new security challenges.
Incident Management
Boscoville must establish and define the responsibilities and procedures to be implemented in the event of a security incident, in order to guarantee an effective and relevant response, while ensuring that a team is in place to deal with incidents.
Disaster Recovery
Boscoville must implement an information technology recovery plan (hereinafter, “Disaster Recovery Plan”) designed to reduce the impact of the unavailability of an information asset and thus ensure the continuation of operations as quickly as possible. Recovery measures must be checked periodically to ensure their effectiveness and relevance.
Training and Awareness
Boscoville must inform employees of the threats and consequences of a security breach, ensuring that everyone is able to identify and respond to risk situations appropriately.
Boscoville must also provide specialized training in areas related to information security in order to maintain an acceptable level of risk within Boscoville.
An information security training and awareness program adapted to the different roles of employees must be defined.
It is Boscoville’s responsibility to provide all persons requiring access to information assets with the necessary guidelines to understand their information security responsibilities.
All relevant documents must be communicated to employees, including this Policy and associated guidelines.
Roles and Responsabilities
Board of Directors
Boscoville’s Board of Directors is responsible for ensuring that adequate safety guidelines are developed and maintained within Boscoville. It is responsible for approving this policy and taking all necessary steps to implement it and any other associated documents.
Person Responsible for Information Security
The person responsible for information security is Boscoville’s principal representative on all issues relating to the security of information assets.
Without limiting the generality of the above, the person responsible for information security shall, among other things:
- Report annually to the Executive Committee on compliance with the Policy and submit a compliance report.
- Keep the Policy up to date according to Boscoville’s needs, obligations and concerns.
- Ensure the involvement of the various stakeholders in the development of this Policy and other associated guidelines.
- Define security criteria for technologies used within Boscoville.
- Provide advice on information security matters.
- Carry out risk and vulnerability assessments for all projects involving information assets, in order to define security requirements for the protection of information assets.
- Raise awareness of information security among all users.
- Ensure effective management of security incidents and maintenance of the Disaster Recovery Plan (DRP) based on the Business Continuity Plan (BCP).
Information Asset Owner
The Information Asset Owner is the manager of one of Boscoville’s business areas. This person is responsible, from a business point of view, for the information assets needed to conduct the activities of their sector, such as:
- Determining the value of its information assets for its management and ensuring their classification in accordance with this value.
- Identify and ensure the implementation of security measures and controls to guarantee the protection of information assets according to the assigned security level and risk assessments.
- Maintain security measures for all assets throughout their lifecycle (creation, maintenance, preservation, destruction, etc.).
- Approve the allocation of access rights to information assets under its responsibility, as required.
- Ensure that a disaster recovery plan, specific to its information assets, is in place and regularly tested.
Users of Information Assets
The user of an information asset (hereinafter: “User”) is a person to whom an owner has granted access to one or more of Boscoville’s information assets. A user may be a permanent or temporary employee, an administrator, a freelancer, a consultant or a third party.
Where justified by the value of the information asset, special arrangements with a third party (such as confidentiality agreements) must have been made prior to the award or assignment of the contract.
This role includes the following tasks:
- Use information assets only for purposes expressly approved by the owner.
- Respect all security measures in place.
- Refrain from disclosing information in their possession (unless it has been designated as public) without the owner’s authorization.
- Inform the person responsible for information security of all situations where they believe the security of an information asset is vulnerable or has been compromised.
- Comply with this Policy and any other document that refers to or supports it.
Revision and Approval
This Policy takes effect upon adoption by the Board of Directors. It may be revised at any time by the Privacy Officer, and any changes must be submitted to the Board of Directors for adoption.
Amendments may be proposed by various Boscoville stakeholders and must be submitted in writing to the Information Security Officer.
This Policy should be reviewed at least every two years to ensure its relevance to Boscoville’s mission, the activities of its users and any substantial changes to legislation or regulatory requirements.
Effective Date
This Policy is effective as of September 21, 2023. It cancels and replaces all previous guidelines on this matter.