Information Security Policy
Purpose
Information, whether collected, processed, stored, communicated, or reported, is susceptible to risks such as theft, misuse, loss, or corruption. These vulnerabilities may result from inadequate training, weak security practices, or violations of controls. Information security incidents can lead to reputational harm, financial losses, non-compliance with legal standards, and potentially legal actions against Wardient.
This high-level Information Security Policy complements the Data Protection Policy and other related policies to establish the overarching framework for Wardient’s risk-based approach to managing information security.
The objectives of this policy are to:
- Protect sensitive data related to Wardient employees, clients, and affiliates, ensuring operational continuity through the prevention of data loss.
- Define effective procedures to preserve the confidentiality, integrity, and availability of Wardient’s IT resources.
- Establish controls for detecting, mitigating, and preventing information security threats, including unauthorized access and misuse of data, systems, and networks.
- Implement safeguards that uphold the organization’s reputation and ensure compliance with legal, regulatory, and contractual obligations.
- Provide structured guidance for managing sensitive information across all formats—digital, physical, or otherwise.
- Ensure the reliability and accuracy of Wardient’s data for sound business decisions.
- Secure sensitive information under Wardient’s care, regardless of its storage medium.
Scope
This policy and its supporting procedures apply to all information assets managed by Wardient, in all formats and across all departments. It also covers information processed by third parties on behalf of Wardient.
The policy applies to all personnel who interact with Wardient’s information and IT systems, including contractors and service providers with access to such resources.
A detailed description of information assets, users, and systems is documented within the broader Information Security Management System (ISMS).
Policy Statement
This policy and its supporting procedures apply to all information assets managed by Wardient, in all formats and across all departments. It also covers information processed by third parties on behalf of Wardient.
The policy applies to all personnel who interact with Wardient’s information and IT systems, including contractors and service providers with access to such resources.
A detailed description of information assets, users, and systems is documented within the broader Information Security Management System (ISMS).
Key Policy Areas
- Information Security Policies
Detailed policies, procedures, and controls will support this overarching policy. These documents will be approved by management, regularly reviewed, and communicated to all relevant parties. - Organization of Information Security
Governance structures will be established to manage information security responsibilities. This includes:
- An Information Security Steering Committee.
- An Executive Sponsor accountable for security governance.
- An appointed Information Security Lead.
- Information Asset Owners (IAOs) and Managers (IAMs) for local oversight.
- Human Resources Security
Security roles and responsibilities will be clearly communicated and, where feasible, integrated into job descriptions and performance objectives. All staff will receive relevant security training. - Asset Management
All assets will be identified, classified, and managed throughout their lifecycle, including defined retention and disposal procedures. - Access Control
Access to systems will be granted based on role-specific needs and information sensitivity. A formal access management process, including user provisioning, authentication, and segregation of duties, will be enforced. - Cryptography
Wardient will provide cryptographic tools and guidance to safeguard the confidentiality and integrity of sensitive data. - Physical and Environmental Security
Critical information systems will be housed in secure facilities with layered access controls to prevent unauthorized physical access or interference. - Operations Security
Information processing systems will be operated securely and efficiently. This includes defined operational procedures, malware controls, change management, and vulnerability assessments. - Communications Security
Secure communication protocols will be implemented to protect data in transit within internal and external networks, according to data classification requirements. - System Acquisition, Development, and Maintenance
Information security requirements will be defined and integrated throughout the system development lifecycle. Changes to systems will be subject to formal change control and environment separation. - Supplier Relationships
Security expectations will be embedded into supplier agreements. Suppliers’ adherence to information security standards will be monitored and reviewed based on associated risks. - Information Security Incident Management
Procedures will be in place to detect, report, investigate, and respond to information security incidents. Lessons learned will inform future preventive measures. - Information Security in Business Continuity
Wardient will maintain business continuity plans that account for information security considerations. Regular testing and business impact analysis will ensure preparedness for disruptions or disasters.
- Human Resources Security
Compliance
Wardient’s information systems and practices must meet all relevant legal, regulatory, and contractual requirements, including but not limited to data protection laws and governmental guidance.
Compliance will be verified through internal audits, external reviews, penetration testing, and other validation mechanisms. Information Asset Owners will play a key role in supporting compliance efforts.
Review
This policy will be reviewed annually, or as necessary, by the Information Security team and formally approved by Wardient Management to ensure it remains relevant and effective.
Last Updated: April 2025