Академический Документы
Профессиональный Документы
Культура Документы
Security Procedures
Version 1 (September
2019)
Annex:
Cybersecurity Policies and Procedures
1
Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
Table of Contents
2
Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
1. Basic principles
Promotes that South Trade's Information and Telecommunications Systems are aligned with the
appropriate level of cybersecurity according to the industry.
It sensitizes users to cybersecurity risks and promotes the provision of knowledge, skills, experience and
technological capabilities to support the company's cybersecurity objectives.
It strengthens capacities for prevention, detection, reaction, analysis, recovery, response, research and
coordination in the face of new threats.
Promotes the existence of adequate cybersecurity mechanisms for systems and operations managed
by third parties providing services to the company.
It is equipped with procedures and tools to keep abreast of changing conditions in the technological
environment and new threats.
2. Management Model
This Cybersecurity Management Model is based on general industry best practices for offices and,
specifically, IMO recommendations for ship security, so as to provide the resources for an environment
aligned with established business and cybersecurity objectives.
In this policy, users are given recommendations on how to avoid security breaches, for which the following
procedures are defined:
3
Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
o Birthday.
o Name of a family member.
o Generic passwords:
1234
asdf
admin
Remember passwords instead of typing them. If an employee needs to enter its password, it is required
to keep the document (digital or physical) confidential and destroy it at the end of the job.
Exchange credentials only when absolutely necessary. If the exchange is not possible in person,
employees should prioritize a telephone channel instead of mail; and if only if they can recognize the
person with whom they are speaking.
Change passwords every 6 months.
Remembering a large number of passwords can be complicated. It is suggested that users categorize their
passwords, and if necessary, only write them down in an encrypted digital document and ensure their non-
disclosure.
Avoid opening Attachments and open links whose content is not properly explained. For example:
"You won an iPhone X. CLICK HERE TO CLAIM YOUR PRIZE!"
"Look at this video, it's amazing!"
"Dear, attached report requested (report.docx.exe)."
Suspect advertising and propaganda:
"Unmissable offers."
"The new iPhone for only 1 USD!"
Check that the email address matches the sender's name. Check the box addresses and make sure
the mail is legitimate.
If a user is unsure of the legitimacy of an email, he or she can consult the company's IT area.
4
Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
Users should be encouraged to use the company's file servers to maintain their documents and important
information, as they have a defined backup scheme.
Implement a regular backup scheme of information in the media to ensure its integrity and rapid
recovery if necessary.
Databases, shared folders, applications, websites and any relevant information that is backed up
should be explicitly documented, indicating the periodicity of the backup and the recovery procedure.
The backup scheme must comply with maintaining the integrity, confidentiality and availability of the
information.
Logs should be kept in order to periodically audit that the backups made comply with the previous
point. Such audits should be documented and explicitly validated that the information is available
and that systems can continue to function normally with information from a backup.
The performance of information backups should not hinder the normal operation of the systems or
the work of users, because it is recommended that they be performed during non-business hours.
Avoid transferring sensitive data (e.g. customer information, personnel data) to other devices or
accounts unless absolutely necessary. When mass transfer of such data is required, the user should
ask the IT area for help.
Share confidential information across the enterprise network/systems and not over public networks or
non-corporate private networks.
Ensure that the recipients of the data are properly authorized persons or organizations and have
adequate Information Security Policies.
Report fraud, privacy breaches and hacking attempts.
It is critical that the IT area is aware of fraud, security breaches, and malware so that they can protect the
company's IT infrastructure in a timely manner. For this reason, users are advised to report perceived attacks,
suspicious emails or attempted phishing/fraud as soon as possible to IT specialists. The area must properly
investigate to resolve the problem and, if necessary, send a company-wide security alert.
5
Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
general) and lose control of the company's computer systems, with catastrophic consequences for the
organization, for example: theft and loss of information, malicious encryption of information assets, disclosure
of business secrets, publication of confidential information of staff.
Any personal device (computer, notebook, telephone, tablet, etc.) of the company must be assigned
to properly identified users who must take care and good use of them, preventing and safeguarding
any improper access to the information they contain.
If third party activities are required within the equipment room, you must always be accompanied by
company IT personnel.
Server room access logs should be audited regularly to detect abnormal patterns.
6
Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
4.3 Protect personal and business devices
When the user uses their digital devices to access mail or corporate accounts, security risks are introduced
to the company's information. It is suggested that users maintain both their personal devices and those
assigned by the insurance company. For this, it is recommended:
Users are also advised to avoid accessing third-party credentialed systems, sharing personal credentials or
devices, or leaving accounts on third-party devices.
When new users are assigned a company equipment or device, they will receive training in:
Users are advised to protect their devices and consult the IT area if they have any questions.
The use of the assigned equipment can only be used to fulfill the tasks inherent to its function
within the company.
7
Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
The company information stored in the devices is confidential, so you must take the necessary
safeguards so that such information is not leaked to third parties in the event of loss of equipment.
Given the above, guidelines are established for the proper functioning of the equipment room and to proceed
in the event of adverse events that may affect it. Therefore, it must be:
Evaluate alternatives to improve the configuration of the equipment room, according to the available
resources, making the adjustments, updates and changes that correspond.
For this purpose, a series of access control guidelines for South Trade networks are established and are
applicable to all officers (plant, hires, replacements and substitution), honorary personnel and third parties
providing services to South Trade.
The users of the company have access permissions to the areas that correspond to them, being their
responsibility the good use and maintenance of the network access password and must comply with the
minimum requirements listed in the section "Management of Confidential Data".
8
Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
All communication devices (routers, firewalls, switches) must be protected by passwords, to which only
Soth Trade IT personnel must have access to administration configuration.
Users who require access to communication devices must have a user account, associated with a profile
of privileges, to access services, corporate applications and network resources of the company.
Access credentials to network resources and services should be personal and non-transferable,
avoiding the use of generic and shared accounts.
The privileges assigned to the different profiles and the list of users assigned to those profiles should
be audited regularly in order to regularize the levels of access they may have during their stay in the
company, and to cancel those privileges when they are already part of the organization.
Remote access must be authorized by the Administration and reported to the IT area.
Temporary access may be granted to personnel outside South Trade only in exceptional cases.
WIFI access must be segmented for internal and external users, having very limited access for the latter.
WIFI network traffic must be audited to detect unauthorized access and minimize risks.
The integrity of the information that is registered or consulted from the different Computer Systems of
the company, avoiding inappropriate or corrupt modifications.
Maintain the confidentiality of the information of the different systems protecting the access of
9
Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
unauthorized users.
Commit the necessary support for the availability of South Trade IT services and in the event that an
Information System presents problems or vulnerabilities are detected report immediately to your
supervisor or IT area of the company.
The request for specific access to information systems for new users must be managed by each area of
South Trade through their headquarters or who they designate for such function. The request for access
must be indicated:
• Detail of the user profile that the official must have for each of the systems to which access is requested.
Protocols for monitoring networks, applications and services must be established to protect the company's
information assets.
In order to access the monitoring tools for each of the utilities and hardware, the user must first have
administrator attributes, both of the domain and of the credentials handled by each of the tools. Only the
personnel who possess these attributes are the ones designated by the IT area.
The first firewall of the local network (Firewall) should be used to block ports and protocols or enable
them, depending on the requirements of services and applications.
The configurations of the firewall should be supported annually if an emergency recovery plan is
established.
Mail of malicious origin should be filtered and observed in order to control mail viruses and spyware, a
task automatically performed by Google's Gmail, but supervised by IT staff, which can spread to users
and, therefore, to the local network. To this end, the tools available to the institution should be used.
All traffic on the internal network, including Windows, Linux and OSX services, should be monitored
using the tools available for this purpose.
The event logs of the Windows, Linux and OSX services should be periodically reviewed to detect early
or, failing that, correct those actions detrimental to the platform, the systems and their information assets.
1
0
Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
6. Technological Asset Management
A detailed record of the company's technological assets must be kept, so an inventory of hardware equipment
must be kept that contains its history of use and configurations, both active and deregistered, as well as the
history and configurations of all pieces of software used by the company. This inventory should also be
complemented by shopping and vendor lists if necessary.
Once the asset is received, the IT area must update its asset register with the minimum data necessary
for its correct control and monitoring, identifying data such as: product description (model, brand, etc.),
serial number, warranty period, among others.
If a team is assigned to a user, it will be the responsibility of the IT area to record the information relevant
to the assignment, including user name, assignment date and performance area, among others, in order
to keep the company's technology assets inventory up to date.
For the technological assets that are defective or susceptible of being deregistered, the IT area will notify
the corresponding area in order to manage the administrative procedure for these purposes.
This inventory is vital for preventive maintenance, bug fixes, software updates and security patches. In that
way, it requires:
To maintain a record of changes of operating systems, software in general and associated hardware.
Critical security updates and patches will be applied to Windows Servers and PCs. Since some security
patches or updates could affect the proper functioning of certain functionalities of both Windows and the
hosted systems, it is advisable to review the documentation of the update or security patch before
applying it to the servers.
In the case of Linux operating systems, the update and patches will be done manually and directly
connected to the repositories of the most popular distributions (Example: CentOS repo, REMI).
The operation of communications hardware, servers and storage requires highly complex
configurations, so it is necessary to record them in the respective hardware inventory.
1
1
Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
weaknesses that could compromise the security of information assets of the company and its technology
supports. For this, it is required:
To maintain records of incidents and/or threats that have occurred, including solutions that are
implemented.
To immediately inform the IT area of the occurrence of incidents or the detection of threats and/or
weaknesses that could compromise the security of the company's information assets.
To continuously follow up on incident reporting incident reports in order to identify root cause of the
problem and identify behavioral patterns.
System event records that generate operating systems, databases, communication equipment, endpoints,
and antivirus/antimalware software generated on the South Trade data network must be consolidated,
reviewed, and maintained.
Based on general guidelines, logs of events, warnings and errors detected resulting in cybersecurity incidents
should be documented in order to detect the recurrence of an incident and/or improve the response time for
events and incidents, as well as detect behavioral patterns.
The South Trade IT area should seek daily review of these events and use some software to detect
correlations between events. The monitoring of these events must be accompanied by technological tools,
such as SIEM Software, for example, to find correlations between the various events in order to detect early
cyberattacks to the company's data and networks.
8. Additional Measures
1
2
Cybersecurity and Information
Security Procedures
Version 1 (September
2019)
To reduce the likelihood of security breaches occurring, users are instructed to:
Turn off your screens and lock your devices when they leave your workspace.
Report damaged or stolen equipment as soon as possible to the IT area.
Change all user account passwords when a device has been stolen.
Report perceived threats and potential security vulnerabilities in enterprise systems.
Withdraw from suspicious downloads and use of unauthorized (or illegal) software on company
equipment.
Avoid accessing suspicious or unauthorized sites.
The user is also expected to engage with the company's Social Media and comply with the Internet Usage
Policy.
Install Firewalls, Antimalware Software, Endpoint Protection and Access Authentication Systems.
Organize Information Security trainings to all users of the company.
Inform users regularly about new E-Mail or Malware scams and how to combat them.
Investigate security breaches thoroughly.
Follow these policies like all other staff.
The company owns and will own the physical and digital controls necessary to protect the information.
1
3