Last updated 10/08/2023
1. INTRODUCTION
BMIT Technologies Group here under referred to as the ‘Company’ understands the importance of data security and makes every effort to ensure that customer data held on systems and within the data centres are fully protected.
The Company recognizes that the confidentiality, integrity and availability of information and data created, maintained and hosted by the Company and its customer’s is vital to the success of the business.
The Company’s management view these as primary responsibilities and fundamental to best business practice and as such has adopted the Information Security Management System Standard BS ISO/IEC 27001 and PCI DSS as its means to manage and meet the following objectives:
1.1. Comply with all applicable laws, regulations and contractual obligations including the Data Protection Act (GDPR).
1.2. Implement continual improvement initiatives, including risk assessment and treatment strategies, while making the best use of its management resources to meet and improve information security system’s requirements.
1.3. Communicate its Information Security objectives and its performance in achieving these objectives, throughout the Company and to interested parties.
1.4. Adhere to the Information Security Management System (ISMS) comprising of a security manual and procedures that provides direction and guidance on information security matters relating to employees, customers, suppliers and interested parties who come into contact with the Company’s work.
1.5. Work closely with their customers, business partners and suppliers in seeking to establish Information Security standards.
1.6. Adopt a forward-looking view on future business decisions, including the continual review of risk evaluation criteria, which may have an impact on Information Security.
1.7. Train all members of staff in their needs and responsibilities for Information Security Management.
1.8. Constantly strive to meet, its customers and staff expectations.
1.9. Information Security shall be considered in job descriptions and when setting staff objectives where applicable.
1.10. Appropriate Information Security training and awareness shall be provided to all staff to ensure principles and practices are embedded in the company culture.
2. PURPOSE
The purpose of this document is to provide information about the procedures Company maintains to ensure the security of its customers’ data, software and systems.
This document will cover the following areas:
1. Customer Authentication
2. Physical Security
3. Access Control
4. Network Security
5. Software Security
6. Media Handling
7. Auditing and Monitoring
8. Contingency Planning
9. Recruitment and Training
This policy applies to all Company employees or any other individual or supplier working for Company. Company management team are responsible for ensuring full compliance with this policy.
Unless written permission is obtained by the ISMS Chairperson, no part of this policy and other relevant policies can be ignored or bypassed. It is the responsibility of all staff members to report any such incidents in a timely fashion. It is the responsibility of the ISMS to review such incidents and identify the correct course of action.
The ISMS Chairperson was appointed by the management to provide an annual executive summary of the ISMS.
3. RESPONSIBILITIES
It is the responsibilities of suppliers and customers dealing with BMIT Technologies to read and understand this policy.
4. DATA PROTECTION
Company is committed to complying with data protection legislation and good practice including:
• Processing personal information only where this is strictly necessary for legitimate organisational purposes
• Collecting only the minimum personal information required for these purposes and not processing excessive personal information
• Providing clear information to individuals about how their personal information will be used and by whom
• Only processing relevant and adequate personal information
• Processing personal information fairly and lawfully
• Maintaining an inventory of the categories of personal information processed by the Company
• Keeping personal information accurate and, where necessary, up to date
• Retaining personal information only for as long as is necessary for legal or regulatory reasons or, for legitimate organisational purposes
• Respecting individuals’ rights in relation to their personal information, including their right of subject access
• Keeping all personal information secure
• Only transferring personal information outside the EU in circumstances where it can be adequately protected
• The application of the various exemptions allowable by data protection legislation.
Further relevant policies can be found at www.bmit.com.mt/privacy
5. CUSTOMER AUTHENTICATION
Any support requests sent to the Company from Customers, for information about their service or to request assistance must be validated to ensure they are who they say they are. This will reduce the risk of loss of confidentiality and data breaches.
If an unauthorized individual contact the Company:
• The procedures and policies outlining authorization requests, including a blank authorization form if onetime only, are provided to the client who is advised to have these filled by an authorised contact;
• No requests are entertained from the unauthorized client;
• An email is sent to the Authorised official and/or contract signatory with the name and request of the individual requesting access.
6. PHYSICAL SECURITY
The Company’s data centre facilities are diversely located in Handaq and Smart City Malta and connected by secure, resilient high-speed back-up links. Both of our data centres have the following physical security features in place to protect both equipment and customer data.
All racks within the data centres are equipped with fully lockable doors which only authorised engineers have access to. Proximity door locks are fitted on all internal and external doors and extensive CCTV monitoring systems are installed on all internal and external walls.
CCTV monitoring systems include motion detection features that trigger CCTV recording in the event of any movement both inside and outside of the data centres (within the cameras’ range).
Company operates Uninterruptible Power Supply (UPS) systems and diesel generators on all of it sites to ensure that services remain available in the event of a power failure.
Full access control systems are in place that only allows authorized employees to secure areas; no other employees, customers or third parties are authorised to access these areas unless accompanied by an authorised engineer.
Any visitor access is strictly as per AD-PRC-2011-002 - Authorisation Clearance. All visitors are required to provide one week’s prior written notice of their visit and produce photo ID upon arrival at the data centre. The visitor’s details are kept for three [3] months rolling.
All Company staff are always required to carry their site access and identification card with them, and access is restricted to authorised areas only. The Company’s management team reserves the right to refuse access to anyone without a site access card.
7. ACCESS CONTROL
Access to the Company electronic information resources must be managed in a manner that maintains the confidentiality, integrity, and availability of resources, and in a manner that complies with any applicable compliance requirements.
User account provisioning must include creation of unique credentials for new users and disablement and revocation of a terminated user’s access privileges upon termination.
Privileged access must only be provided to users as needed. Users with privileged user accounts (i.e. admin account on internal core systems) must also have an organizational user account, which follows the principle of least privilege, and must use this organizational user account for their day-to-day job functions. Privileged user accounts must only be used when elevated privileges are required by the system or application.
BMIT controls access through a set of defined profiles and users are assigned belonging to their profile upon employment or during a change of role. All requests for access must be logged in the service management system by sending an email to support@bmit.com.mt. Internal IT, will review request and assign profile accordingly.
When remote access is required, a VPN connection must be used. Attempts to circumvent using the VPN connection for remote access are considered as a serious breach of security.
Usernames and passwords for VPN users must follow the password policy.
The VPN must, at a minimum have:
• two factors of authentication
• Encryption
• Be unique to each user.
Only Company’s Core Engineers have full access to the hosted platforms, each engineer having their own individual login for optimum security. Authorised support staff have limited access to hosted services in order to provide technical support to customers.
7.1. SEPARATION OF DUTIES
To reduce the risk of accidental or deliberate system misuse, separation of duties and areas of responsibility must be implemented where appropriate.
Whenever separation of duties is not technically feasible, other compensatory controls must be implemented, such as monitoring of activities, audit trails and management supervision.
8. GENERAL SECURITY AND PASSWORDS
Any computer terminal with access to Company data must follow Company’s security policies. The user is responsible for the security of any computer terminal being used. Each unattended terminal needs to be locked, in order to prevent unauthorised users accessing the system.
Users need to select secure passwords. Passwords should not be dictionary words and should not have personal identifiable and guessable information. Passwords must not be stored or transmitted in plain text. Passwords should not be lent. Company reserves the right to enforce the password selection process and to audit such at intervals.
Company has a clear desk and clear screen policy. It is expected that all confidential information in hardcopy or electronic form is secure, particularly at the end of the day and when expected to be away for an extended period of time.
Access to systems must be provided using individually assigned unique identifiers, known as user-IDs.
Associated with each user-ID is an authentication token (e.g., password) which must be used to authenticate the identity of the person or system requesting access. The Company implements multi factor authentication to protect its information systems.
Automated techniques and controls are implemented to lock a session and require authentication or re-authentication after a period of inactivity. Information on the screen must be replaced with publicly viewable information (e.g., screen saver, blank screen, clock) during the session lock.
Passwords must not be stored on paper, or in an electronic file, hand-held device or browser, unless they can be stored securely and the method of storing (e.g., password vault) has been approved by the CTO.
Information owners are responsible for determining who should have access to protected resources within their jurisdiction, and what those access privileges should be (read, update, etc.).
Access privileges will be granted in accordance with the user’s job responsibilities and will be limited only to those necessary to accomplish assigned tasks in accordance with entity missions and business functions (i.e., least privilege).
Logon banners must be implemented on all systems where that feature exists to inform all users that the system is for business or other approved use consistent with policy, and that user activities may be monitored, and the user should have no expectation of privacy.
9. ACCEPTABLE USE
9.1. INTERNET FILES AND SOFTWARE
Employees must not download or accept any software that is not required for business purposes. Employees must screen all files downloaded from the Internet with virus detection software.
Employees must not make illegal copies of copyrighted software. All software used on employees’ computers within the firm must be a licensed copy and must adhere to the software owner’s copyright conditions.
9.2. MONITORING OF INTERNET USE
The Company reserves the right to monitor and log all connections between their networks and the Internet. These logs include the user’s name and those of the sites accessed. Such activity will be kept as per the retention policy.
9.3. BLOCKING OF INTERNET SITES
The Company reserves the right to block access to any Internet site or resource deemed inappropriate.
9.4. ACCESS RIGHTS
Users who do not have administrative access must NOT try to circumvent such enforcements. If users are found to have breached such security, disciplinary action might be enforced. This includes:
• Making changes to circumvent security software or other restrictions in place;
• Using systems that are not authorised by the Company to store and/or process data;
• The use of portable applications that are against policies;
• Making systems unavailable for one or more users through the use of unauthorised network devices;
• Attempting to impersonate other users.
10. NETWORK SECURITY
The network design is intended to deliver high performance and reliability to meet the needs of the operations whilst providing a high degree of access controls and range of privilege restrictions. The configuration of network impacts directly on its performance and affects its stability and information security. The network design takes into consideration that:
• Poor network stability can threaten operations;
• Inadequate control over access to network can jeopardize the confidentiality and integrity of data;
• Slow or inadequate system response times impede the processing.
10.1. MANAGING THE NETWORK
The network is managed by the Core Team. Changes must be analysed for any potential security risk introduction.
10.2. ACCESSING NETWORK REMOTELY
Remote access control procedures must provide adequate safeguards through robust identification, authentication and encryption techniques. The needs for remote access are to be clearly defined before it is granted. Users which require remote access will often be connecting through public unsecure networks. This increases the threat of unauthorized access - therefore all individuals with remote access need to be advised of the risks and follow the procedure which is put in place governing how they connect to the intranet.
10.3. DEFENDING NETWORK INFORMATION FROM MALICIOUS ATTACK
All system hardware, operating and application software, the networks and communication systems are safeguarded at all times from physical access or network intrusion. All physical hardware is kept within designated rooms and/or cabinets which can only be accessed by the technical staff.
The technical staff is also responsible for ensuring that all network access points are secured. Unused ports are to be kept in disabled status on the network device. Non-IP authorized systems are denied access to critical systems.
Network cabling is also segregated from Power cabling to ensure no interference is experienced. Special cable trays exist within the designated areas for cable runs to be passed neatly and safely to make sure they are not affected.
Access to designated areas is defined by the user’s job requirements and controlled by their card access.
11. SOFTWARE SECURITY
Company’s Core Engineers are responsible for all software security updates on Company’s infrastructure.
Company operates a strict software security policy throughout the organisation to provide increased security across the network.
All software loaded onto Company’s IT systems must be legally purchased and licensed and access to install programmes is restricted to members of the Core team only. Any application launched on Company’s infrastructure must have its suitability verified by Company’s Core Department and approved by the CTO prior to rollout.
Furthermore, Company employees must ensure that systems are conforming to security policies set up by the company. The employee must NOT in any way tamper or impede with these operations:
• Anti-Malware software is installed, up to date and allowed to perform regular scans;
• The software firewall is enabled and maintained properly;
• Secure methods are used to transfer files;
• Authentication is set up on all systems;
• User is logged out following inactivity periods;
• Understand the features installed are to assist with security and not hinder the user;
• Use a high security level on your Internet browser;
• Never share any details on security.
12. OPERATIONS SECURITY
Systems and the physical facilities in which they are stored must have documented operating instructions, management processes and formal incident management procedures related to information security matters which define roles and responsibilities of affected individuals who operate or use them.
System configurations must follow approved configuration standards.
Advance planning and preparation must be performed to ensure the availability of adequate capacity and resources. System capacity must be monitored on an ongoing basis.
Controls must be implemented (e.g., anti-virus, web filtering) across systems where technically feasible to prevent and detect the introduction of malicious code or other threats.
Controls are in place to disallow the installation of software on company devices.
Systems are maintained at a vendor-supported level to ensure accuracy and integrity and security patches are applied in a timely manner.
Monitoring systems are deployed (e.g., intrusion detection/prevention systems) at strategic locations to monitor traffic.
An evaluation of the criticality of systems used in information processing is done and Recovery Time Objectives (RTO)/Recovery Point Objectives (RPO) for all critical systems is defined.
Backup copies of Company information is taken regularly in accordance with the Company’s defined requirements and backups and restoration are tested regularly
13. VULNERABILITY MANAGEMENT
Vulnerability assessments must be conducted periodically to ensure systems are fully protected. The Company performs a monthly Vulnerability scan for all our systems which are externally accessible. This scan is performed from an external source, by a member of the core team. Any other attempts to perform such vulnerability scanning/penetration testing will be deemed an unauthorized access attempt.
• All systems must be scanned for vulnerabilities before being installed in production and periodically thereafter.
• The periodic vulnerability assessments must be made using enterprise level scanning tools.
• A 3rd party might be contracted to carry out the assessment at the sole discretion of the organization’s CTO.
• Scans must be performed at set times to minimize disruption to normal business functions.
• Internal Confidential data must be protected during scans.
• A scale for determining the severity of each vulnerability must be used.
• Appropriate action, such as patching or updating the system, must be taken to address discovered vulnerabilities. For any discovered vulnerability, a plan of action and milestones must be created, and updated accordingly, to document the planned remedial actions to mitigate vulnerabilities.
• Tampering with the results or implementing temporary fixes during the scans will lead to disciplinary action.
Anyone authorized to perform vulnerability scanning/penetration testing must have a formal process defined, tested and followed at all times to minimize the possibility of disruption.
14. INFORMATION CLASSIFICATION AND HANDLING
14.1. Information Classification
Information classification is extremely important as the information handling process is built upon it. The list below identifies the basic handling guidelines for the data as classified. It is noted that identified data assets may be subject to specified handling as listed on Company’s ISMS management system.
It is the responsibility of all Company staff to ensure that the Company information assets are protected and handled appropriately. Data assets are identified in ISMS management system and all handling requirements are listed accordingly.
• The owners of the information are responsible for classifying the document appropriately;
• Where possible, the classification type should be embedded in the information asset itself;
• Company staff must ensure all documents classified as non-public are effectively protected and access is confined to authorized eyes only.
All information must be classified into one of three categories. The category chosen must be appropriate for the data type.
14.2. Public and unclassified media
Markings: BMCL: Public
Physical and Logical Controls: None required
Reproduction: Unlimited or as per Copyright
Distribution: No restrictions
Disposal: Trash
14.3. Confidential
Markings: BMCL: Confidential – Internal Use
Physical and Logical Controls:
• The author should make sure proper markings are in place. Users are required to ensure information is stored and controlled.
• Encryption: Yes – Data can only be read by BMIT recipient. Access is revoked after 21 days unless credentials can be verified.
Reproduction: Limited copies may be made only if necessity arises.
Distribution: Internal unrestricted; External sealed envelope marked as Confidential;
Disposal: Printed media shredded; As per media handling policy included in AD-POL-2011-003 - Security Policy.
14.4. CONFIDENTIAL EXTERNAL
Markings: BMCL: Confidential - External
Physical and Logical Controls: Author is responsible for ensuring information to be clearly marked. Recipients must not share the information.
Reproduction: Limited copies may be mode under the approval of the original distributor.
Distribution: Internal - sealed envelope; External - sealed envelope and sent by registered mail or hand delivered, marked as Confidential;
Disposal: Printed media - shredded;
14.5. CLIENT’S MEDIA
The disposal and handling of client’s media is the sole responsibility of the client. The Company is not responsible for the safe disposal and/or destruction of said media.
Where the media belongs to the Company, the media is archived permanently in secure storage with limited access. Where the need arises for the backup media to be disposed entirely, it must be destroyed through appropriate means and where required, a certificate for the destruction of media is issued accordingly from the responsible parties for the destruction.
Paper media must be shredded. It is often best to shred multiple sheets at the same time to help ensure that the contents cannot be reassembled. Backup media handling as per AD-POL-2011-003 - Security Policy
15. AUDITING AND MONITORING
Having visibility of the activity ongoing on the network infrastructure is crucial to maintain the expected level of service availability, performance and security. All Company Core Networking equipment (switches and routers) must keep an activity log on an external syslog server.
Every day an automated script checks all the logs on each server and analyses the content. It then emails a report to the core team with any warnings found. If no warnings are found, a report is still sent to advise the green status of the equipment.
All issues are logged by Service Requests and major faults or problems relating to the network are escalated to the Core team and/or CTO accordingly.
16. INCIDENT MANAGEMENT
An Information Security incident is made up of one or more unwanted or unexpected information security events that could very likely compromise the security of the Company’s information and weaken or impair the Company’s business operations. An information security event indicates that the security of an information system, service, or network may have been breached or compromised. An information security event indicates that an information security policy may have been violated or a safeguard may have failed.
All incidents must be reported immediately by a phone call to CTO and logged in the GRC system accordingly. Depending on the incident the CTO will decide whether to initiate any BCP procedure.
17. CONTINGENCY PLANNING
In line with our ISO 27001 certification, Company operates its own disaster recovery procedures. In the event of any security issue being identified, an escalation process is in place whereby engineers are alerted by Service Request. Upon completion of the remedial work and resolution of the fault, the Service Request is closed.
Company has a continued, ongoing commitment to data security and availability. In addition, Company reserves the right to take all contractual allowable measures in respect of a customer’s service if it is believed that the use of the service constitutes a security threat to Company or any other users/customer on Company’s infrastructure.
18. PERSONNEL SECURITY, RECRUITMENT AND TRAINING
All candidates employed by Company are subject to screening. As part of this process, all references are followed up for new employees and security training is included within both the induction training programme and ongoing.
Company implements an internal IT Code of Conduct that all employees must adhere to, as to ensure security and integrity of software, systems, hardware and data, in line with the requirements of ISO 27001 and PCI DSS.
The workforce must receive general security awareness training, at least annually and must be tracked by the Company. The Company require its workforce to abide by its Security Policy, and an auditable process is in place for users to acknowledge that they agree to abide by the policy’s requirements.
All job positions must be evaluated by the to determine whether they require access to sensitive information and/or sensitive information technology assets.
A process is established within the Company to review user access periodically and upon change of job duties or position.
Employees and Contractors are responsible for ensuring all issued property is returned prior to an employee’s separation and accounts are disabled and access is removed immediately upon separation.
