Files
tm_back/docs/security/policies/information-security-policy.md
T
Mazyar 06e663b691 Add security and compliance documentation for ISO/IEC 27001
- Introduced a comprehensive suite of security documents to support ISO/IEC 27001 certification, including the ISMS Foundation, Risk Assessment Matrix, Gap Analysis Report, Statement of Applicability, and ISO27001 Roadmap.
- Updated the README to include links to the new security documentation, enhancing the project's compliance framework and providing clear guidance on security policies and procedures.

This addition strengthens the overall security posture of the Tender Management System and aligns with industry standards for information security management.
2026-06-11 01:53:24 +03:30

157 lines
5.7 KiB
Markdown

# Information Security Policy
| Field | Value |
|-------|-------|
| **Document ID** | POL-001 |
| **Version** | 1.0 |
| **Status** | Draft — Pending approval |
| **Owner** | Executive Sponsor |
| **Maintained By** | Information Security Officer (ISO) |
| **Effective Date** | _Pending approval_ |
| **Review Cycle** | Annual |
| **ISO 27001 Reference** | A.5.1 — Policies for information security |
Related: [ISMS Foundation](../ISMS_FOUNDATION.md) | [ISO 27001 Roadmap](../ISO27001_ROADMAP.md)
---
## 1. Purpose
This policy establishes the organization's commitment to protecting information assets processed by the **Tender Management (TM) System**. It defines principles, responsibilities, and requirements that all personnel, contractors, and third parties must follow.
---
## 2. Scope
This policy applies to:
- All employees, contractors, and third parties with access to TM systems or data
- The ISMS scope defined in [ISMS Foundation §3](../ISMS_FOUNDATION.md#3-isms-scope): `cmd/web`, `cmd/worker`, `cmd/scraper`, MongoDB, Redis, MinIO, and integrated services
- All information classified C2 (Internal) and above
---
## 3. Policy Statement
Management is committed to:
1. **Protecting** the confidentiality, integrity, and availability of information assets
2. **Complying** with applicable legal and regulatory requirements, including GDPR
3. **Implementing** an ISMS aligned with ISO/IEC 27001:2022
4. **Managing** information security risks through a documented risk assessment process
5. **Continuously improving** security controls via the Plan-Do-Check-Act (PDCA) cycle
Information security is everyone's responsibility. No business objective justifies unacceptable risk to customer data or system integrity without documented risk acceptance by authorized management.
---
## 4. Information Security Objectives
| # | Objective | Measure | Target |
|---|-----------|---------|--------|
| O-1 | Protect customer and company PII | Data breach incidents | Zero confirmed breaches per year |
| O-2 | Maintain platform availability | Uptime of production API | ≥ 99.5% monthly |
| O-3 | Respond to security incidents promptly | P1 incident acknowledgment time | ≤ 1 hour |
| O-4 | Remediate critical vulnerabilities | Mean time to patch (Critical CVE) | ≤ 7 days |
| O-5 | Maintain security awareness | Training completion rate | 100% of in-scope personnel |
| O-6 | Progress toward ISO 27001 certification | Roadmap milestone completion | Per [ISO27001_ROADMAP.md](../ISO27001_ROADMAP.md) |
Objectives are reviewed quarterly during management review.
---
## 5. Roles and Responsibilities
| Role | Responsibilities |
|------|------------------|
| **Executive Sponsor** | Approves this policy; allocates resources; chairs management review |
| **Information Security Officer (ISO)** | Operates ISMS; maintains risk register; coordinates audits and incidents |
| **Data Protection Officer (DPO)** | Ensures GDPR compliance; oversees DPIAs and data subject requests |
| **Engineering Lead** | Secure SDLC; code review; vulnerability remediation |
| **DevOps Lead** | Infrastructure security; secrets management; backups and monitoring |
| **All personnel** | Comply with policies; report incidents; complete security training |
---
## 6. Core Security Principles
### 6.1 Confidentiality
- Access to information is granted on a need-to-know basis
- PII and credentials must not be disclosed to unauthorized parties
- Secrets must never be committed to source control or included in logs
### 6.2 Integrity
- Production changes require peer review and follow change management procedures
- Data modifications must be traceable through audit logs where applicable
- Input validation is mandatory at all API boundaries
### 6.3 Availability
- Critical services (API, database, object storage) must have documented recovery procedures
- Capacity and rate limiting must protect against abuse-related outages
### 6.4 Defense in Depth
Security controls are layered across application, infrastructure, and process levels. No single control is relied upon exclusively.
### 6.5 Least Privilege
Users, services, and processes receive the minimum access required to perform their function.
---
## 7. Supporting Policies and Procedures
This policy is supported by:
| Document | ID |
|----------|-----|
| [Access Control Policy](./access-control-policy.md) | POL-002 |
| [Incident Response Plan](./incident-response-plan.md) | POL-003 |
| [Backup & Recovery Policy](./backup-and-recovery-policy.md) | POL-004 |
| [Acceptable Use Policy](./acceptable-use-policy.md) | POL-005 |
| [Risk Assessment Procedure](../procedures/risk-assessment-procedure.md) | PROC-001 |
---
## 8. Compliance and Enforcement
- Violations of this policy may result in disciplinary action, up to and including termination of employment or contract
- Regulatory breaches may result in legal liability and notification to supervisory authorities
- All personnel must acknowledge this policy upon onboarding and annually thereafter
---
## 9. Exceptions
Exceptions to this policy require:
1. Written request with business justification
2. Risk assessment of the exception
3. Approval by ISO and Executive Sponsor
4. Time-bound validity (maximum 12 months)
5. Entry in the risk acceptance log ([Risk Assessment Matrix §5](../RISK_ASSESSMENT_MATRIX.md#5-risk-acceptance-log))
---
## 10. Document Control
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2026-06-11 | Engineering | Initial policy |
**Approval**
| Role | Name | Signature | Date |
|------|------|-----------|------|
| Executive Sponsor | _Pending_ | | |
| ISO | _Pending_ | | |
---
## 11. Distribution
This policy is available to all in-scope personnel via the `docs/security/policies/` repository path and must be communicated during onboarding.