Security Policy

Information Security Policy

Security assessment is focused on determining the degree to which information system security controls are correctly implemented, whether they are operating as intended and whether they are producing the desired level of security. Vulnerability assessment is focused on determining the weaknesses inherent in the information systems that could be exploited leading to information system breach. Without Security and vulnerability assessments, the potential exist that information systems may not be as secure as intended or desired.

Scope

This Security Assessment Policy applies to all information systems and information system components of JGC Construction International Pte Ltd (JCON). Specifically, it includes:

  • Mainframes, servers and other devices that provide centralized computing capabilities.
  • SAN, NAS and other devices that provide centralized storage capabilities.
  • Desktops, laptops and other devices that provide distributed computing capabilities.
  • Routers, switches and other devices that provide network capabilities.
  • Firewalls, IDP sensors and other devices that provide dedicated security capabilities.

Policy

  1. Security assessments will be performed against all information systems on an annually basis. Vulnerability assessments will be performed against all information systems on a quarterly basis.
  2. While both security and vulnerability assessments are to be performed by internal staff on an on-going basis, third parties will be retained every third assessment to ensure appropriate levels of coverage and oversight.

Procedure 1

Perform security and vulnerability assessments against enterprise networks and information systems:

  • Develop an assessment plan:
    • Determine the scope of assessments to be performed.
    • Establish a prioritized assessment schedule
    • Identify and gather required skills and tools.
    • Creation an assessment implementation plan.
  • Execute the assessment plan:
    • Review system documentation, including system configuration documents and system log files, to determine expected security configuration and capabilities of the system.
    • Identify and analyze the target system through investigative techniques that include network foot-printing, port and service scanning, and vulnerability assessment.
    • Validate vulnerabilities that may be discovered through validating techniques that include penetration testing, password cracking, and social engineering.
  • Analyze assessment data and report on findings.
    • Review validated assessment findings to determine the risk and cost impact on the organization.
    • Create a final report outlining the findings of the assessment.

Non-Compliance

Violation of any of the constraints of these policies or procedures will be considered a security breach and depending on the nature of the violation, various sanctions will be taken:

  • A minor breach will result in written reprimand.
  • Multiple minor breaches or a major breach will result in suspension.
  • Multiple major breaches will result in termination.