# Information Security Policy | Field | Value | |-------|-------| | **Document ID** | POL-001 | | **Version** | 1.0 | | **Status** | Draft — Pending approval | | **Owner** | Executive Sponsor | | **Maintained By** | Information Security Officer (ISO) | | **Effective Date** | _Pending approval_ | | **Review Cycle** | Annual | | **ISO 27001 Reference** | A.5.1 — Policies for information security | Related: [ISMS Foundation](../ISMS_FOUNDATION.md) | [ISO 27001 Roadmap](../ISO27001_ROADMAP.md) --- ## 1. Purpose This policy establishes the organization's commitment to protecting information assets processed by the **Tender Management (TM) System**. It defines principles, responsibilities, and requirements that all personnel, contractors, and third parties must follow. --- ## 2. Scope This policy applies to: - All employees, contractors, and third parties with access to TM systems or data - The ISMS scope defined in [ISMS Foundation §3](../ISMS_FOUNDATION.md#3-isms-scope): `cmd/web`, `cmd/worker`, `cmd/scraper`, MongoDB, Redis, MinIO, and integrated services - All information classified C2 (Internal) and above --- ## 3. Policy Statement Management is committed to: 1. **Protecting** the confidentiality, integrity, and availability of information assets 2. **Complying** with applicable legal and regulatory requirements, including GDPR 3. **Implementing** an ISMS aligned with ISO/IEC 27001:2022 4. **Managing** information security risks through a documented risk assessment process 5. **Continuously improving** security controls via the Plan-Do-Check-Act (PDCA) cycle Information security is everyone's responsibility. No business objective justifies unacceptable risk to customer data or system integrity without documented risk acceptance by authorized management. --- ## 4. Information Security Objectives | # | Objective | Measure | Target | |---|-----------|---------|--------| | O-1 | Protect customer and company PII | Data breach incidents | Zero confirmed breaches per year | | O-2 | Maintain platform availability | Uptime of production API | ≥ 99.5% monthly | | O-3 | Respond to security incidents promptly | P1 incident acknowledgment time | ≤ 1 hour | | O-4 | Remediate critical vulnerabilities | Mean time to patch (Critical CVE) | ≤ 7 days | | O-5 | Maintain security awareness | Training completion rate | 100% of in-scope personnel | | O-6 | Progress toward ISO 27001 certification | Roadmap milestone completion | Per [ISO27001_ROADMAP.md](../ISO27001_ROADMAP.md) | Objectives are reviewed quarterly during management review. --- ## 5. Roles and Responsibilities | Role | Responsibilities | |------|------------------| | **Executive Sponsor** | Approves this policy; allocates resources; chairs management review | | **Information Security Officer (ISO)** | Operates ISMS; maintains risk register; coordinates audits and incidents | | **Data Protection Officer (DPO)** | Ensures GDPR compliance; oversees DPIAs and data subject requests | | **Engineering Lead** | Secure SDLC; code review; vulnerability remediation | | **DevOps Lead** | Infrastructure security; secrets management; backups and monitoring | | **All personnel** | Comply with policies; report incidents; complete security training | --- ## 6. Core Security Principles ### 6.1 Confidentiality - Access to information is granted on a need-to-know basis - PII and credentials must not be disclosed to unauthorized parties - Secrets must never be committed to source control or included in logs ### 6.2 Integrity - Production changes require peer review and follow change management procedures - Data modifications must be traceable through audit logs where applicable - Input validation is mandatory at all API boundaries ### 6.3 Availability - Critical services (API, database, object storage) must have documented recovery procedures - Capacity and rate limiting must protect against abuse-related outages ### 6.4 Defense in Depth Security controls are layered across application, infrastructure, and process levels. No single control is relied upon exclusively. ### 6.5 Least Privilege Users, services, and processes receive the minimum access required to perform their function. --- ## 7. Supporting Policies and Procedures This policy is supported by: | Document | ID | |----------|-----| | [Access Control Policy](./access-control-policy.md) | POL-002 | | [Incident Response Plan](./incident-response-plan.md) | POL-003 | | [Backup & Recovery Policy](./backup-and-recovery-policy.md) | POL-004 | | [Acceptable Use Policy](./acceptable-use-policy.md) | POL-005 | | [Risk Assessment Procedure](../procedures/risk-assessment-procedure.md) | PROC-001 | --- ## 8. Compliance and Enforcement - Violations of this policy may result in disciplinary action, up to and including termination of employment or contract - Regulatory breaches may result in legal liability and notification to supervisory authorities - All personnel must acknowledge this policy upon onboarding and annually thereafter --- ## 9. Exceptions Exceptions to this policy require: 1. Written request with business justification 2. Risk assessment of the exception 3. Approval by ISO and Executive Sponsor 4. Time-bound validity (maximum 12 months) 5. Entry in the risk acceptance log ([Risk Assessment Matrix §5](../RISK_ASSESSMENT_MATRIX.md#5-risk-acceptance-log)) --- ## 10. Document Control | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | 2026-06-11 | Engineering | Initial policy | **Approval** | Role | Name | Signature | Date | |------|------|-----------|------| | Executive Sponsor | _Pending_ | | | | ISO | _Pending_ | | | --- ## 11. Distribution This policy is available to all in-scope personnel via the `docs/security/policies/` repository path and must be communicated during onboarding.