Information Security Policy Document

CX Index Executive Management will provide direction to, approve, publish and communicate the merits of an Information Security Policy document. This Information Security Policy document shall outline managements’ approach to Information Security as well as providing CX Index with a strong indication of the management’s commitment to Information Security within CX Index.

The purpose of this policy is to communicate the direction of CX Index’s Information Security Program by providing relevant, accessible and understandable definitions, statements and explanations.

The Information Security Policy Document shall:

Define information security as well as its scope and importance in CX Index;
Include a statement of management’s intent for information security;
Include a statement of management’s goals and principles of information security;
Explain CX Index’s security policies, standards and compliance requirements, including:
Compliance with legislative and contractual requirements,
Security education and awareness commitment,
Consequences for security violations.
Prevention and protection against viruses and other malicious software attacks,
Commitment to well thought-out and effective business continuity management.
Outline specific responsibilities for information security management.
Outline policies and procedures for reporting security incidents.

The Information Security Policy Document shall serve as a reference document that will lead to additional more detailed information when necessary (for instance employee manuals etc.).

Review and Evaluation of Information Security Policy

The Senior Management shall be the owner of this Information Security Policy Document. The owner of the document shall be responsible for maintaining and reviewing the policy based upon a defined review process. The policy shall be reviewed at least annually and updated in response to any changes that would affect the assumptions from the baseline risk assessment, such as significant security incidents, new vulnerabilities, new regulations or changes to CX Index’s infrastructure.

The reviews shall include an assessment of the policy’s effectiveness based upon:
The nature and number and impact of recorded security incidents;
Cost and impact of controls on business efficiency;
Effects of changes to technology.