1.1. Purpose & scope
Marine Instruments publishes, distributes, implements, and periodically reviews this Information Security Policy in accordance with the terms of the ISO 27001 standard.
Following delivery, the external provider must acknowledge receipt and comprehension of this Policy. If no comments are received from the external provider within one week of the date of delivery, the Policy will be understood to be accepted.
This Policy applies to:
• Information Technology Services.
• IT infrastructure component suppliers and their representatives.
• Infrastructure maintenance providers.
1.2. Reference documents
This document covers all or part of the following ISO/IEC 27001:2013 requirements:
- ISO/IEC 27001:2013, Annex A.
This document refers to the following supporting documentation:
- Information Security Policy.
- Information Classification Policy.
This policy has been published and approved by the Information Security Committee, which is responsible for developing, implementing, and updating it.
- Providers may connect to our infrastructure from their own premises under supervision. Remote connections via VPN or other supervised means are permitted.
- All information, documentation, programs and/or applications, methods, organizational information, business strategies, and activities related to Marine Instruments or its projects to which providers have access in order to deliver the service shall be considered confidential and shall always be processed according to the intended purposes described in the service provision contract and in observance of the corresponding duty of professional secrecy both for the duration of the service and after the end of the contractual relationship with Marine Instruments.
- All resources and information to which providers have had access or which it has been necessary to prepare, modify, or copy in the course of the proper performance of the service shall be returned on completion of that service.
- The means of communication employed shall be those authorized in the Marine Instruments integrated internal and external communications procedure and the external provider shall be informed of such, where applicable, by email or telephone.
- Service providers must ensure that all personnel who have access to Marine Instruments information, information systems, or resources in the performance of their functions comply with the following basic requirements when performing their tasks:
- Users must not use the ID of any other user even if authorized to do so by the owner.
- Users must be cognizant of and apply the criteria and procedures in effect relating to the information handled.
- All persons with access to Marine Instruments information must ensure that their equipment is protected when unattended.
- Persons with access to Marine Instruments information systems must never conduct tests to detect and/or exploit potential security breaches or incidents without written authorization.
- Persons with access to Marine Instruments information systems must not attempt to circumvent the security systems and authorizations in place without express written authorization. Users are not permitted to capture network traffic unless they are conducting auditing tasks that have been authorized in writing.
This document shall enter into force on the day it is approved.