Acceptable Use Policy: This policy establishes rules for using Zyte's information, networks, and systems. It emphasizes that all assets are company property and should be used primarily for business purposes. Personal use is permitted if it doesn't violate the policy, and users are responsible for exercising good judgment. The policy prohibits illegal activities, intellectual property violations, and security breaches.
Asset Management Policy: This policy aims to identify and protect Zyte's organizational assets. An asset inventory is maintained and regularly updated, which includes asset type, owner, classification, and location. Asset ownership is assigned, and responsibilities are delegated as necessary. The policy also covers acceptable asset use, return, and handling during maintenance.
Classification of Information Policy: This policy ensures that information is classified and protected based on its importance. Zyte uses three classification levels: Public, Confidential, and Sensitive. Each level has specific handling requirements, with Sensitive information requiring the highest level of protection. The policy provides examples of what type of information belongs in each category.
Clear Desk and Clear Screen Policy: This policy mandates that computer and phone screens are locked when employees leave their workstations. It also minimizes the printing of sensitive documents and requires that any printed material is secured. Workspaces and meeting rooms must be cleared of documents and assets when vacated. The policy also outlines requirements for working in public spaces and using privacy screens.
Cryptography Policy: This policy aims to protect the confidentiality, integrity, and availability of Zyte's information through encryption. All critical or sensitive data transferred outside the organization must be encrypted. The policy outlines requirements for encrypting data in transit and at rest, as well as key management. It also specifies key specifications and the roles and responsibilities related to encryption.
Identity and Access Management Policy: This policy ensures appropriate access to Zyte's information, networks, and systems. It emphasizes principles like "deny-by-default," "need-to-know," and "least privilege." Access rights are granted based on job roles and must be approved by a manager. The policy also covers password management, privileged access, and access changes.
Information Security Incident Management Policy: This policy establishes a structured approach to responding to security and privacy incidents. The incident management process includes stages to guarantee the effective response. Root cause analysis is used to manage the investigation and resolution of incidents. The policy also addresses evidence collection and personnel training.
Information Transfer Policy: This policy details the rules and preferred methods for transferring information. It emphasizes the importance of considering the information, recipient, and classification before transfer. The policy also covers requirements and agreements for physical media transfer.
Labeling of Information Policy: This policy facilitates the communication of information classification. Emails are treated as "Confidential" by default, with outbound messages including a standard signature. Physical documents are labeled as "Sensitive" or treated as "Confidential" if unlabeled. Electronic documents use a footer to indicate classification, and physical storage devices are also labeled.
Operation Security Policy: This policy ensures the secure operation of information processing systems and facilities. It covers change management, capacity management, data leakage prevention, and web filtering. The policy also includes configuration management, malware protection, backup procedures, and logging and monitoring activities. Clock synchronization and threat intelligence are also addressed.
Responsible Disclosure Policy: This policy encourages external security researchers to identify vulnerabilities in Zyte's systems. Researchers are asked to report potential vulnerabilities to bughunt@zyte.com. The policy outlines the scope of research, qualifying bugs, and non-qualifying bugs. It also provides guidelines for reporting vulnerabilities and exclusions.
Risk Management Policy: This policy establishes a framework for managing risks to Zyte's information assets. It emphasizes the importance of risk assessment, treatment, and monitoring. The policy also covers the roles and responsibilities related to risk management.
Secure Development Policy: This policy ensures that security is integrated into the software development process. It covers secure coding practices, security testing, and vulnerability management. The policy aims to prevent the introduction of vulnerabilities into Zyte's software.
Secure Disposal & Re-use Policy: This policy outlines the procedures for securely disposing of or reusing information and assets. It emphasizes the importance of protecting sensitive information during disposal. The policy covers both physical and digital assets, including data destruction and media sanitization.
Supplier Relationships Security Policy: This policy manages the security risks associated with Zyte's supplier relationships. It ensures that suppliers adhere to Zyte's security requirements. The policy covers supplier selection, assessment, and monitoring. It also addresses information security agreements with suppliers.
User Endpoint Device Policy: This policy establishes security requirements for user endpoint devices. It covers device configuration, software installation, and acceptable use. The policy aims to protect Zyte's information from unauthorized access or compromise through user devices.
Consequences of Noncompliance with Security Policies: This section outlines the potential consequences of failing to comply with Zyte's security policies. It emphasizes that noncompliance can lead to disciplinary action, up to and including termination of employment. The consequences are proportionate to the severity of the violation.