The following document defines the roles and responsibilities of each user with regards to information security at Seven Seven Co Ltd (“Dreamprice” or “the Company”)
This document provides an overview of Information Security Services (ISS) policies, procedures, standards, and guidelines. These policies are an important aspect of information security and are written to protect user accounts, corporate data, and intellectual property owned by the Company. The rules stated in this policy are enforced to protect both the user and the Company.
This policy applies to all users. Users are defined as anyone with authorized access to the Company’s technology resources, including permanent and temporary employees or third-party personnel such as temporaries, contractors, consultants, and other parties with valid Dreamprice access accounts.
Information is a critical asset of the Company and must be protected from unauthorized exposure, deletion, and modification, whether deliberate or accidental.
Everyone associated with Dreamprice has a role in information security. The Company’s success depends upon its ability to offer products and services with a high level of customer satisfaction. Dreamprice is the trusted custodian of data provided to itself by its customers, employees and other stakeholders. Therefore, the Company must ensure that due care is exercised in the protection of this data.
Dreamprice’s employees, temporaries, contractors, consultants, and other workers at the Company, including all personnel affiliated with third parties, are responsible for participating in the security of the environment. ISS management has provided guidance in creating this secure environment by establishing information security policies, approving roles and responsibilities, and providing consistent coordination of security efforts across the Company’s outlets.
- Due care – Due care states that the Company has taken the necessary steps to protect the Company, its resources, and employees from possible risk at a level equivalent or superior to peer companies.
- ISS – Information Security Services.
- Malware – Malware is short for malicious software, such as viruses, worms, trojan horses, spam and phishing, spyware, ransomware and bots and botnets.
- Technology resources – The Company’s technology resources comprise of computing, networking and software applications that can be accessed by authorized Dreamprice users.
- User – A user is defined as anyone with authorized access to the Company’s technology resources including permanent and temporary employees or third-party personnel such as temporaries, contractors, consultants, and other parties with valid Dreamprice access accounts.
Information security is very important to the sustainability of the business and the maintenance of public trust. While the needs of the business in a particular situation will always determine the appropriateness of any security standard in that situation, non-compliance without valid justification will not be tolerated. All personnel who use, have access to, or are responsible for the Company’s information assets and the Company shall abide by all the relevant laws such as the Computer Misuse and Cybercrime Act and the Data Protection Act 2017 amongst others. Violators are subject to disciplinary action, up to and including termination of employment, and legal action.
To ensure observance of the Company’s Information Security Policy, compliance reviews are conducted periodically and as part of the Corporate Governance principles adopted by the Company. These reviews determine whether the Company’s information assets are satisfactorily protected. They test the effectiveness of business practice, the safeguards implemented for computer systems, the security features included in application design plans and any risks identified are mitigated.
Section 1 Roles and Responsibilities
Security is the responsibility of all users. Anyone with authorized access to the Company’s technology resources, including permanent and temporary employees or third-party personnel such as temporaries, contractors, consultants, and other parties with valid Dreamprice access accounts, is considered a user.
Users must comply with all established ISS policies, procedures, standards, and guidelines. The following roles identify the specific responsibilities each person or department performs in the overall security of the Company’s information assets.
The user’s responsibilities include, but are not limited to:
- Maintain the confidentiality and security of passwords;
- Reporting suspected security violations to ISS or Technical Support;
- Knowing and following ISS policies, procedures, standards, and guidelines;
- Using corporate information and computing resources responsibly and for authorized purposes only.
Managers at the Company have the same responsibilities as users, including the following additional responsibilities:
- Ensuring that all reporting personnel are knowledgeable of and following ISS policies, procedures, standards, and guidelines;
- Working with personnel to correct any identified security defects or violations;
- Bringing issues to the attention of appropriate managers, as needed.
1.3 Business Owners
Business owners provide approvals and reviews of access on a periodic basis for their area of ownership. Responsibilities include, but are not limited to:
- Ensuring that policies, procedures, standards, and guidelines are developed for their area of responsibility (with ISS consultation);
- Ensuring that an appropriate level of security is applied to their area of ownership;
- Bringing issues to the attention of appropriate managers, as needed;
- Assisting with disciplinary actions and legal or criminal matters associated with alleged security breaches.
1.4 Information Technology
Information Technology (IT) is responsible for developing, implementing, and maintaining computer systems and applications for the Company. In general, the responsibilities of all IT personnel include, but are not limited to, the following:
- Ensuring the confidentiality, integrity, and availability of the Company applications and computing resources;
- Creating and maintaining system documentation;
- Ensuring the confidentiality and integrity of information by not abusing system level and/or elevated rights, or by bypassing ISS policies, procedures, standards, and guidelines;
- Communicating and coordinating with ISS on security related incidents and issues;
- Participating in the investigation of alleged network security breaches by helping to determine root cause, impact, remediation, and, if necessary, assisting with disciplinary actions and legal or criminal matters associated with such breaches;
- Ensuring that applications, systems, and databases are developed, implemented, deployed, and maintained in adherence to ISS policies, procedures, standards, and guidelines.
1.5 Managers Information Technology
Managers of Information Technology have additional responsibilities including, but not limited to, the following:
- Ensuring that IT personnel are aware of ISS policies, procedures, standards, and guidelines, and conduct their work in compliance with these documents;
- Periodically reviewing department processes and procedures to ensure compliance with security policy, procedures, standards, and guidelines;
- Ensuring that any new projects or upgrades include information security requirements and are compliant with ISS policies, procedures, standards, and guidelines.
1.6 Information Security Services
ISS is responsible for ensuring the confidentiality, integrity, and availability of the Company’s technology resources. Responsibilities include, but are not limited to, the following:
- Documenting and monitoring ISS policies, procedures, standards, and guidelines to ensure effectiveness;
- Ensuring that ISS policies, procedures, standards, and guidelines remain practical and relevant;
- Promoting security awareness, both for the Company users as well as the Company IT;
- Assessing the Company’s IT security needs and coordinate an approach for meeting those needs, both near term and long term;
- Coordinating with IT Operations, IT Applications, IT Quality Assurance, Legal, Human Resources, and other lines of businesses to develop appropriate strategies for information security;
- Interpreting security requirements from government agencies and standards-setting groups.
- Provide security guidance for protecting information;
- Establishing escalation procedures for security issues;
- Organizing and leading security investigations and responses by assembling appropriate multi-disciplinary response teams;
- Providing information security intelligence (new vulnerabilities, exploits, malware) to the rest of the Company IT;
- Providing daily security support for networks, systems, and applications;
- Managing security devices such as firewalls, intrusion detection systems, and web proxy devices;
- Providing security due diligence to qualify outside service vendors that will be storing or processing The Company data;
- Providing security patch compliance checking and overall network security risk assessment.
Section 2 Coordination
Corporate information, in all its forms, is deemed to be a Company asset. As with any asset, protection from theft, damage, destruction, modification, and unauthorized use is necessary to the on-going success of the Company.
Information security needs to be, and must be, an integral part of the business planning process from inception. To ensure that security requirements are defined and implemented, ISS must be notified of any new or existing systems or applications where access controls or data flow controls are utilized. All systems must comply with ISS policies, procedures, standards, and guidelines.
Decentralized administration of security is permitted where appropriate controls, policies, and procedures have been implemented.
Section 3 Information Security Policy Administration
The most current versions of ISS policies, procedures, standards, and guidelines supersede all previous versions, and are binding on all users.
ISS policies, procedures, standards, and guidelines must be monitored, evaluated, and adjusted based on significant changes in technology, operations, risk profiles, or environment.
Section 4 Exceptions
Users may request exceptions to ISS policies, procedures, standards, and guidelines by submitting a request to ISS with a valid business justification. The exception request must be documented and approved by the system owner or department manager. ISS will evaluate, approve and store exception requests.
NOTE: Each exception request must be justified, documented, and approved separately. ISS maintains the right to deny any exception from this policy.
Section 5 Enforcement
Network activities may be monitored and logged to ensure compliance with the rules established in this and other ISS policies, procedures, standards, and guidelines.
Any user found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, or legal action as appropriate, or both. No provision of this policy will alter the at-will nature of the employment relationship at the Company.
Section 6 Policy Update and Notification
The Company reserves the right to revise the conditions of this policy at any time by giving notice via the Information Security Policy Update Procedure. Users are responsible for understanding or seeking clarification of any rules outlined in this document and for familiarizing themselves with the most current version of this policy.