1 . INFORMATION SECURITY POLICY
Dar Al Riyadh (Group) has established an Information Security Policy (ISP) which supports the strategic aims of the business, and is committed to maintaining and improving information security within the business and minimising its exposure to risks. It is therefore Dar Al Riyadh (Group’s) Policy to:
- Ensure the confidentiality of corporate, and client information;
- Protect sensitive information (however stored) against unauthorised access;
- Maintain the integrity of all information;
- Ensure the availability of information, as required;
- Provide information security training for all staff;
- Ensure that the expectations and requirements of all interested parties, in relation to Information Security, are met;
- Make information available to authorised business processes and employees when required;
- Meet all regulatory and legislative requirements;
- Produce business continuity plans for business activities that are regularly maintained and tested;
- Ensure that all breaches of information security, actual or suspected, will be reported to and investigated by Dar Al Riyadh Top Level Management and opportunities for improvement will be identified and acted upon.
- Comply with the requirements of ISO 27001 for information security; and
- Communicate and provide this policy statement to all stakeholders through our website and upon request.
This Policy is dynamic and includes a commitment to continual improvement through a process of incident reporting, risk assessment & regular internal audits. It complements the requirements of ISO 9001:2015, ISO 14001:2015 & ISO 45001:2018 Management Standards, and provides a framework for establishing and reviewing security objectives.
This Policy covers both the information provided by a person in order to engage with Dar Al Riyadh, as well as information automatically obtained by using Dar Al Riyadh services such as, but not limited to, IP Addresses, Location, devices used, etc…
Top Level Management are responsible for communicating the Group’s Information Security Policy and making sure it is understood at all levels within the business
3. Who does this Policy apply to?
This Policy applies to all employees (permanent or temporary) sub-contractors, suppliers, visitor’s clients and all 3rd party users who may have access to all information that is stored in or on the Dar IT systems / servers, or available in other formats. Information Security is applicable to all offices, locations, systems, processes. This document may be distributed to third parties and auditors as necessary
4. Information Security approach
Dar Al Riyadh is committed to keeping information secure. For this reason, Dar Al Riyadh is committed towards maintaining our ISO certification
ISO certification requires Dar Al Riyadh to have a set of policies, procedures, guidelines and controls in place to systematically manage our information assets (collectively known as “Information Security”). Information Security is applied to information on people, processes and also to physical assets, such as IT systems and mobile devices. The goal of Information Security is to minimise risk and to ensure business continuity by pro-actively limiting the likelihood and impact of an information security breach.
Dar Al Riyadh uses Information Security to manage issues that are relevant to our business, as set out at paragraph.
5. Importance and Objectives of Information Security?
Information Security has many objectives and advantages, including but not limited to: –
- Achieving and maintaining ISO: 27001 certification standard by November 2021
- Ensuring Senior Management support the importance of Information Security;
- Establishing regulatory compliance (with data protection laws) and best practice alignment;
- Ensuring that security roles and responsibilities are defined and appropriate;
- Developing and maintaining a suite of relevant, usable and effective security policies;
- Implement, operate and continually improve an effective and measurable security strategy
- Achieving a clear and consistent view of security risks within the business;
- Providing regular and communication to the business in relation to Security and Information
- Provide information, instruction and training to all employees and contractors
- Ensuring developed software and systems are engineered securely and to sufficient quality.
- All server based applications both accessed by a browser or a specific client software
- All mobile applications
- All other client applications provided by Dar Al Riyadh
6. What is Information Security applied to?
Information Security is applicable to all offices, departments, locations, systems, processes and personnel who use or access information assets in the provision of services that include
- Installation, repairs and general building maintenance (including reactive) of all contracts in the retail, commercial and construction industry sectors
Dar Al Riyadh applies Information Security to the following assets:
- Desktops, laptops and any client operated devices – remote VPN or login
- Servers, appliances and network infrastructure.
- Mobile devices
- All server based applications both accessed by a browser or a specific client software.
- All mobile applications.
- All other client applications provided by Dar Al Riyadh.
7. Information Security Roles and Responsibilities
Dar Al Riyadh has identified who is responsible for fulfilling Information Security requirements. These are set out in the HSEQ-MS and are as follows: –
- Group Directors
- IT Director (Group)
- Legal Team
- IT Operations Team
- Senior Management
- All Staff
We may share information with 3rd parties only in the following cases: –
- As required to comply with legal processes
- When we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request
- To our trusted service providers who work on our behalf, do not have independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this statement or have signed a non-disclosure agreement with us.
- If we are involved in a merger, acquisition, or sale of all or a portion of the company
8. How Information Security Manages Risks to Business
Information Security keeps confidential information held on Dar Al Riyadh systems protected at all times using all reasonable measures based on the market’s best practices. Information Security allows Dar Al Riyadh to be engaged on and aware of cyber-attack risks, given its place in the market, including measures to ensure the continued control and security of technical assets in the field. Information Security helps Dar Al Riyadh more readily identify risks and issues that are relevant to the organisation and allows for prioritising, assessing and remedying these on an on-going basis. We will retain the information provided as long as that information is necessary to continue the engagement between the user and Dar Al Riyadh and as long as necessary afterwards to comply with legal and regulatory statutes. You may request that your user data be deleted by sending an email to email@example.com and we will respond within a reasonable time. Note that some or all the data provided may be required and not eligible to be deleted in order for the application to work properly or due to legal requirements.
9. Data Protection Act (DPA) and General Data Protection Regulation (GDPR)
A critical objective of Information Security is compliance with the DPA and GDPR. Those subject to this Policy shall comply with Dar Al Riyadh (Group’s) ‘Data Protection Policy’. Failure to do so may result in disciplinary action
We do not provide services and knowingly solicit data from or market to children under the age of 13. Parents or guardians may provide information of their children in order to obtain services from Dar Al Riyadh such as medical insurance or visa issuance. If you think we have collected personal information directly from a child under the age of 13 through any of our systems, please contact us immediately by email at firstname.lastname@example.org.
10. Acceptable Use Policy
Those subject to this Policy are required to adhere to the Dar Al Riyadh ‘Acceptable Use Policy’ which outlines the principles that govern use of Dar Al Riyadh systems, services and equipment (e.g. laptop / phones). Failure to do so may result in disciplinary action as per clause 11
Anyone subject to this Policy who is found to have violated it, may be subject to disciplinary action, including termination of employment, and termination of contract services.
12. Policy Review
This Information Security Policy (and all other organisation policies unless otherwise stated) shall be reviewed on at least an annual basis by the Group IT Director
13. Top Level Management Approval and Commitment
Dar Al Riyadh Top Level Management commits to the Information Security Policy and endeavors to provide the necessary input, feedback, assistance and resource to provide continued delivery and continual improvement of successful Information Security.