RezExpert Security Policy based on ISO 27001
Version: 1.1
Date: January 1, 2024
Purpose
To provide guidelines and procedural framework for the secure operation, administration, and management of the RezExpert property management system, in alignment with ISO 27001 standards.
Scope
This policy applies to all employees, contractors, vendors, and third-party service providers who have access to or interact with RezExpert and associated data.
Normative References
- ISO/IEC 27001:2017
- ISO/IEC 27002:2013
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
Roles and Responsibilities
- Information Security Officer: Ensure overall policy compliance and coordinate risk assessments.
- IT Manager: Oversee the technical implementation of the policy and maintain security controls.
- HR Manager: Conduct and maintain records for employee security awareness training.
Policy Objectives
- To protect the confidentiality, integrity, and availability of information stored in and processed by RezExpert.
- To comply with legal, regulatory, and contractual obligations.
Policies and Controls
Access Control (ISO 27001, A.9)
- User Access Management: All users must be assigned specific roles with the least-privilege principle in mind.
- Authentication: Multi-factor authentication (MFA) shall be enabled for all users, especially for administrative roles when accessing any infrastructure, or dependent services.
- Review and Removal: Quarterly reviews of access rights must be conducted to remove or adjust permissions.
Operations Security (ISO 27001, A.12)
- Patch Management: Security patches must be applied within one month of release, unless exceptions are approved by the Information Security Officer.
- Malware Protection: Anti-malware solutions must be deployed on all servers and user-endpoints interacting with RezExpert.
Cryptographic Protection (ISO 27001, A.10)
- Data Encryption: AES-256 or higher encryption standard must be used for encrypting data at rest.
- Data in Transit: Transport Layer Security (TLS) 1.2 or higher must be used for data in transit.
Physical and Environmental Security (ISO 27001, A.11)
- Secure Facility: Servers should be hosted in data centers compliant with ISO 27001 or an equivalent standard.
- Physical Access Control: Biometric security systems must be in place to control physical access to critical infrastructure.
Communications Security (ISO 27001, A.13)
- Network Segmentation: RezExpert systems should reside on a segmented network, separate from other business systems.
- Firewalls and IDS/IPS: Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) should be configured to monitor and control inbound and outbound traffic.
Incident Management (ISO 27001, A.16)
- Incident Reporting: All security incidents must be immediately reported to the Information Security Officer.
- Incident Response Plan: A formal incident response plan must be developed and tested semi-annually.
Compliance (ISO 27001, A.18)
- Internal Audits: Audits to check compliance with this policy and ISO 27001 must be conducted bi-annually.
- Policy Violations: Non-compliance may result in disciplinary action up to and including termination of employment.
Awareness and Training (ISO 27001, A.7)
- Training Programs: Online training modules should be completed by all relevant personnel annually.
- Phishing Simulations: Random phishing simulation tests should be conducted quarterly to assess user awareness.
Implementation and Monitoring
This policy will be implemented immediately upon approval. Compliance will be continuously monitored through internal audits and vulnerability assessments. The policy will be reviewed annually or after significant changes to the business environment or technology stack.