The following policy statements establish the core requirements for information security within the organization:

4.1 Asset Management

All information assets must be identified, classified according to their sensitivity, and properly protected throughout their lifecycle.

• Maintain an accurate inventory of all information assets
• Assign ownership and responsibility for each asset
• Classify assets based on their value and sensitivity
• Implement appropriate protection measures for each classification level

4.2 Access Control

Access to information and information processing facilities shall be granted based on business requirements and authorized by management.

• Implement principle of least privilege
• Require proper authorization for all access requests
• Regularly review and update access rights
• Implement strong authentication mechanisms

4.3 Cryptography

Cryptographic controls shall be used in accordance with agreements, legislation, and regulations to protect sensitive information.

• Use approved cryptographic algorithms and key lengths
• Implement proper key management practices
• Encrypt sensitive data in transit and at rest
• Regularly review and update cryptographic implementations

4.4 Physical and Environmental Security

Secure areas shall be defined to protect areas that contain sensitive or critical information and information processing facilities.

• Control physical access to sensitive areas
• Implement environmental monitoring and protection
• Secure equipment against theft and unauthorized access
• Establish clear desk and clear screen policies

4.5 Operations Security

Operational procedures and responsibilities shall be documented and communicated to ensure correct and secure operation of information processing facilities.

• Document and maintain operational procedures
• Implement change management controls
• Monitor system performance and security
• Establish backup and recovery procedures