Security Program Management Policy

Security Program Management Policy
Information Security Program
Management Policy
BlueNotary Information Security
Program Management
Policy
Document Owner
Effective Date Version 1.0 Document Approver
01 Overview and Scope
01.01 Overview
In accordance with mandated organizational security requirements set forth and approved by
management, BlueNotary has established a formal Information Security Program Management
Policy and Procedures. This comprehensive Policy is implemented immediately along with all
relevant and applicable procedures.
The Policy Owner owns this Policy and is responsible for reviewing the Policy on an annual
basis and following any major changes to BlueNotary’s sensitive data environment to ensure
that it continues to meet its organizational goals. The Policy Owner is also responsible for
ensuring that the Information Security Program Management Procedure is reviewed and
updated on an annual basis and following any major changes.
01.02 Purpose
This Policy and supporting Procedures are designed to provide BlueNotary with a formalized
information security policy to comply with various regulatory and business
requirements. Additionally, this Policy serves as the organization’s primary, enterprise-wide
information security manual. Compliance with the stated Policy and supporting procedures
helps ensure the safety and security of all BlueNotary’s system components within the sensitive
data environment as well as any other environments deemed applicable.
01.03 Scope
This Policy and supporting Procedures cover all system components within the sensitive data
environment owned, operated, maintained, and controlled by BlueNotary. This Policy and
supporting Procedures cover all other system components (both internally and externally) that
interact with these systems and all other relevant systems:
● Internal system components are those owned, operated, maintained, and controlled by
BlueNotary, including all network devices (firewalls, routers, switches, load balancers,
other network devices), servers (both physical and virtual servers, along with the
operating systems and applications residing on them), as well as any other system
components deemed in scope; and
● External system components are those owned, operated, maintained, and controlled by
any entity other than BlueNotary. These external systems may impact the confidentiality,
integrity, and availability (CIA) and the overall security of the sensitive data environment,
along with any other environments deemed applicable.
●
Please note when referencing the terms "system component(s)" or “system resource(s)” that
they imply the following: Any network component, server, or application included in or
connected to the sensitive data environment, or any other relevant environment deemed inscope
for purposes of information security.
This Policy and supporting Procedures cover all employees, interns, volunteers, and
contractors. (All of these individuals will be referred to as “Employees” throughout this Policy
and these Procedures unless otherwise noted. Both Policy and Procedures will be made
available to Employees, who will be required to sign an acknowledgement that they have read
this Policy and these Procedures and agree to abide by them.
01.04 Monitoring and Enforcement
BlueNotary periodically monitors adherence to this Policy to help ensure compliance with
applicable laws, requirements, and contractual agreements applying to client and consumer
data.
Penalties for failing to comply with BlueNotary’s policies and procedures could lead to
disciplinary and/or enforcement actions against individuals and lead to sanctions brought
against BlueNotary. Depending on the seriousness of the offense, enforcement actions could
include civil and/or criminal charges brought against violators.
01.05 Management Commitment
BlueNotary’s management is committed to and takes responsibility for implementing
appropriate technical and organizational safeguards to ensure the protection of sensitive
information (including personally identifiable information). BlueNotary is also committed to
demonstrating that any processing of sensitive information (including personally identifiable
information) is in compliance with all applicable regulations. Implemented measures will be
reviewed and updated as necessary.
01.06 Roles and Responsibilities
Management
Management will demonstrate commitment to and leadership over BlueNotary’s security and
privacy management systems by ensuring the following:
● Establishment of security and privacy policies and objectives in alignment with
BlueNotary’s strategic direction;
● Integration of security and privacy requirements into BlueNotary’s processes;
● Availability of security and privacy resources;
● Communication of security and privacy importance to employees, third parties, and both
internal and external stakeholders as well as conformity to security and privacy
requirements;
● Achievement of the intended outcomes of the security and privacy programs;
● Contribution of firect and support personnel to the effectiveness of the security and
privacy programs;
● Continual improvement of the security and privacy programs;
● Support for other management roles in demonstrating leadership applied to their areas
of responsibilities;
● Assignment and communication of responsibilities and authorities for the security and
privacy programs as well as ensurance that the programs conform to regulatory or
contractual requirements with reports of performance provided to management; and
● Establishment of adequate monitoring and enforcement of policies and procedures.
Privileged Users
Privileged users are employees with elevated access to systems (such as system
administrators) or individuals with assigned roles and responsibilities related to security and
privacy. Privileged users are required to abide by and understand their assigned responsibilities
related to their elevated access rights along with their limitations in using these privileges.
Privileged users must understand their obligations and liabilities in utilizing their privileges and
ensure that they abide by separation of duties related to security and privacy activities.
Employees
Employees are responsible for abiding by and understanding all BlueNotary’s policies and
procedures related to security and privacy. Employees are required to sign an
acknowledgement that they have read and will abide by these policies and procedures.
Employees will be subject to disciplinary actions, up to and including termination, for failing to
abide by these policies and procedures.
Responsibilities include adhering to the organization’s information security policies, procedures,
and practices, and not undertaking any measure to alter such standards on any such
BlueNotary system components. Additionally, end-users are to report instances of noncompliance
– specifically those by other users – to senior authorities=. End users – while
undertaking day-to-day operations – may also notice issues impeding the safety and security of
BlueNotary system components and are to also report such instances immediately to senior
authorities.
Third Parties
Third parties such as external service providers are responsible for abiding by BlueNotary’s
policies and procedures related to security and privacy. Third parties must sign agreements with
BlueNotary concerning their responsibilities for implementing safeguards to protect the security
and privacy of data provided by BlueNotary. Third parties failing to abide by these security and
privacy requirements may be subject to legal actions, including the termination of contracts for
services.
Responsibilities for such individuals and organizations are much like those stated for end-users:
adherence to BlueNotary’s information security policies, procedures, and practices, and not
undertaking any measure to alter such standards on any such system components.
Chief Technology Officer (CTO)
Responsibilities include providing overall direction, guidance, leadership, and support for the
entire information systems environment while also assisting other applicable personnel in their
day-to-day operations. The CTO reports to other members of senior management regularly
regarding all aspects of the organization’s information systems posture.
Chief Information Security Officer (CISO)
The CISO is the designated security official with the mission and resources to coordinate,
develop, implement, and maintain an organization-wide information security program. The CISO
is responsible for the policies, procedures, and security controls required to comply with
regulatory as well as contractual requirements. The CISO will assist the CTO in the overall
direction of the information system environment while also assisting other applicable personnel
in their day-to-day operations. This role requires extensive identification of industry regulations,
benchmarks, standards, and frameworks effectively utilized by the organization for provisioning,
hardening, securing, and locking-down critical system components. Subsequent to the
researching of such standards, the CISO oversees the establishment of a series of baseline
configuration standards to include, but not limited to, the following system components: network
devices, operating systems, applications, internally developed software and systems, and other
relevant hardware and software platforms. Because baseline configurations will change, the
CISO will update the applicable configurations as well as document all modifications and
enhancements as required. The CISO chairs the Security Committee made up of senior
management members and directly reports to the Chief Executive Officer (CEO).
Risk and Compliance Officer
The CEO, or, if applicable, the Board of Directors, will appoint the Risk and Compliance Officer
from the senior management staff of BlueNotary. The Risk and Compliance Officer will report
directly to the CEO, or the Board of Directors, and will carry the responsibilities for reporting
directly to the Executive Committee at least twice a year. The Risk and Compliance Officer’s
primary responsibilities include, but are not limited to:
● Performance, monitoring, and the implementation of the risk and compliance program;
● Reporting at least twice a year to the organization’s Risk Committee and Executive
Committee on implementation progress, and assisting governing authorities to establish
mechanisms to improve the company’s efficiency and quality of services and to reduce
potential vulnerability to fraud, abuse, and waste;
● Revising the program, at least annually based on newly published changes in
governmental guidance and the needs of the organization and in the law and policies
and procedures of government and clients;
● Developing and participating in educational and training programs focusing on the
elements of the compliance program and ensuring all appropriate employees and
management personnel are knowledgeable about, and comply with, pertinent federal
and state standards;
● Ensuring independent contractors and agents who furnish services for the company are
aware of the requirements of the Policy with respect to affected operations;
● Coordinating personnel issues with the Chief Operations Officer (COO), manager, and
human resources department to ensure that proper references have been checked with
respect to all employees, staff, and independent contractors;
● Assisting the COO and management in coordinating internal compliance reviews and
monitoring activities, including quarterly reviews of departments;
● Independently investigating and acting on matters related to compliance, including the
flexibility to design and coordinate internal investigations (e.g., responding to reports of
problems or suspected violations) and any resulting corrective action with all
departments and, if appropriate, independent contractors; and
● Developing policies, procedures, and programs encouraging managers and employees
to report suspected fraud and other improprieties without fear of retaliation by
management.
The Risk and Compliance Officer has the authority and the obligation to review any and all
documents and other information relevant and applicable to compliance activities, including, but
not limited to, customer records, client records, records concerning the marketing efforts of the
company, and the company’s arrangements with other parties, including employees,
independent contractors, suppliers, and agents. This Policy provides for the Risk and
Compliance Officer to review contracts and obligations (seeking the advice of legal counsel,
where appropriate) containing payment issues that could violate relevant statutes as well as
other legal or regulatory requirements.
Systems Administrator
Responsibilities include implementing the baseline configuration standards for all in-scope
system components. This requires obtaining a current and accurate asset inventory of all
systems, assessing their initial posture with the stated baseline, and implementing the
necessary configurations. Because of the complexities and depth often involved with these
activities, numerous personnel designated as Systems Administrators are often engaged in
assigned system administration tasks.
These individuals are responsible for monitoring compliance with the stated baseline
configuration standards, reporting to senior management all instances of non-compliance, and
reporting efforts undertaken to correct any identified issues. Because these individuals
undertake the majority of the operational and technical procedures for the organization, it is
critical to highlight other relevant duties, such as the following:
● Assessing and analyzing baseline configuration standards to ensure they meet the intent
and necessary rigor for the overall safety and security (both logically and physically) of
critical system components;
● Ensuring the asset inventory for all in-scope system components is kept current and
accurate;
● Ensuring network topology documents are kept current and accurate;
● Facilitating requests for validation of baseline configurations for purposes of regulatory
compliance assessments and audits (e.g., SOC-2 compliance, PCI compliance, SSAE
16 reporting, HIPAA, FISMA, GLBA); and
● Ensuring continuous training and certification accreditation for purposes of maintaining
an acceptable level of information security expertise necessary for configuration
management.
Additional duties of Systems Administrators include the following:
● Establishing a network environment by designing system configuration; directing system
installation; and defining, documenting, and enforcing system standards;
● Optimizing network performance by monitoring performance, troubleshooting network
problems and outages, scheduling upgrades, and collaborating with network architects
on network optimization;
● Updating job knowledge by participating in educational opportunities, reading
professional publications, maintaining personal networks, and participating in
professional organizations;
● Securing network systems by establishing and enforcing policies and defining and
monitoring access; and
● Reporting network operational status by gathering and prioritizing information and
managing projects.
Software Developers
Responsibilities include developing secure systems by implementing the required baseline
configuration standards into all systems and software development lifecycle (SDLC) activities.
Coding for security, not functionality, is a core approach to which all software developers are to
adhere. They are responsible for identifying any other necessary baseline configuration
standards when warranted. Ultimately, this requires removing, disabling, and not implementing
insecure services, protocols, or ports for purposes of ease-of-use, which could ultimately
compromise the applicable systems being developed. Software Developers are responsible for
following a structured project management framework utilizing a documented SDLC process
complete with well-defined change management policies, processes, and procedures.
Moreover, these personnel are to support and coordinate all required requests for validation of
the baseline configurations being developed within their systems for purposes of regulatory
compliance and/or internal audit assessments.
Additional duties of Software Developers include the following:
● Developing software solutions by studying information needs; conferring with users;
studying systems flow, data usage, and work processes; investigating problem areas;
and following the software development lifecycle;
● Determining operational feasibility by evaluating analyses, problem definitions,
requirements, solution development, and proposed solutions;
● Maintaining adequate documentation via flowcharts, layouts, diagrams, charts, code
comments, and clear code;
● Preparing and installing solutions by effectively designing system specifications,
standards, and programming;
● Improving operations by conducting systems analyses and recommending changes in
policies and procedures; and
● Obtaining and licensing software from vendors.
Change Management Personnel
Responsibilities include reviewing, approving, and/or denying all changes to critical system
components and specifically for purposes of any changes to the various baseline configuration
standards. While changes are often associated with user functionality, many times issues of
vulnerability, patch, and configuration management are brought to light with change requests. In
such cases, authorized change management personnel are to extensively analyze and assess
these issues to ensure the safety and security of organization-wide system components.
02 Information Security Program and Leadership
Role: PM-02
BlueNotary’s management will appoint a senior information security official with the mission and
resources to coordinate, develop, implement, and maintain an information security program.
Management will also establish defined roles and responsibilities to oversee the implementation
of the security and control environment. To support this effort, BlueNotary will ensure that the
organizational chart is documented and defines the organizational structure and reporting lines.
BlueNotary will also ensure that the organizational chart is updated on an annual basis.
03 Measures of Performance: PM-06
BlueNotary will develop, monitor, and report on the results of information security and privacy
measures. Managers are required to complete performance appraisals for direct reports at least
annually.
04 Enterprise Architecture: PM-07
BlueNotary will develop and maintain an enterprise architecture with consideration for
information security, privacy, and the resulting risk to organizational operations. To achieve this,
the organization will ensure that the enterprise architecture meets the minimum requirements:
● Maintains current network diagrams and data flow diagrams of the enterprise
architecture and related functions and services offered by the organization;
● Keeps up to date network diagrams that are reviewed at least annually ;
● Keeps up to date data flow diagrams that are reviewed at least annually ; and
● When needed, describes, documents, and communicates the service environment and
boundaries to both internal and external authorized users.
05 Risk Management Program and Leadership:
PM-09
BlueNotary will establish and document a Risk Management Program that:
● Manages security risk to organizational operations and assets, individuals, other
organizations, and the nation associated with the operation and use of organizational
systems;
● Manages privacy risk to individuals resulting from the authorized processing of
personally identifiable information;
● Implements the risk management strategy consistently across the organization;
● Reviews and update the Risk Management Program annually or as required to address
organizational changes;
● Provides guidance on the identification of potential threats, ratings of the significance of
the risks associated with the identified threats, and mitigation strategies for those risks;
● Establishes a Risk Committee with oversight responsibilities for internal controls;
● Ensures that the Risk Committee includes directors who are independent of the internal
control function;
● Ensures that the Risk Committee meets on a monthly basis and maintains formal
meeting minutes; and
● Assigns a senior official accountable for the company's risk management.
Related Documents
● Information Security Program Management Procedures
● Awareness and Training Policy
● Assessment, Authorization, and Monitoring Policy
● Configuration Management Policy
● Risk Assessment Policy
● Third-Party Risk Management Policy
Change Control
Date Version Change(s) Reason for Change(s) Change(s)
Made By
15/01/2023 v1 Initial Changes Initial changes Rohit Patel
TITLE Information Security Program Management Policy
FILE NAME Information Security Program Management Policy.pdf
TIMESTAMP 01/29/2023 at 16:33:47
VERSION V-2
OWNER Rohit Patel
APPROVER Rohit Patel
Document History
V-2 01/29/2023
at 16:33:47
Changed by: Andy Blue andy@bluenotary.us
Comments: all systems go
V-1 01/15/2023
at 20:10:34
Changed by: Rohit Patel rohit@bluenotary.us
Comments: Initial Changes

Updated on: 23/02/2025