WISP (Written Information Security Program)
Cybersecurity Program Overview
CXO Nexus is committed to protecting its employees, partners, clients and CXO Nexus from damaging acts that are intentional or unintentional. Effective security is a team effort involving the participation and support of every CXO Nexus user who interacts with data and information systems. Therefore, it is the responsibility of every user to know these policies and to conduct their activities accordingly.
Protecting company information and the systems that collect process, and maintain this information is of critical importance. Consequently, the security of information systems must include controls and safeguards to offset possible threats, as well as controls to ensure accountability, availability, integrity, and confidentiality of the data:
- Confidentiality – Confidentiality addresses preserving restrictions on information access and disclosure so that access is restricted to only authorized users and services.
- Integrity – Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
- Availability – Availability addresses ensuring timely and reliable access to and use of information. Security measures must be taken to guard against unauthorized access to, alteration, disclosure or destruction of data and information systems. This also includes against accidental loss or destruction.
Scope & Applicability
These policies, standards, and procedures apply to all CXO Nexus data, information systems, activities, and assets owned, leased, controlled, or used by CXO Nexus, its agents, contractors, or other business partners on behalf of CXO Nexus. These policies, standards, and procedures apply to all CXO Nexus employees, contractors, sub-contractors, and their respective facilities supporting CXO Nexus business operations, wherever CXO Nexus data is stored or processed, including any third-party contracted by CXO Nexus to handle, process, transmit, store, or dispose of CXO Nexus data.
Some policies are explicitly stated for persons with a specific job function (e.g., a System Administrator); otherwise, all personnel supporting CXO Nexus business functions shall comply with the policies. CXO Nexus departments shall use these policies or may create a more restrictive policy, but not one that is less restrictive, less comprehensive, or less compliant than this policy.
These policies do not supersede any other applicable law, higher-level company directive or existing labor management agreement in effect as of the effective date of this policy.
CXO Nexus reserves the right to revoke, change, or supplement these policies, procedures, standards, and guidelines at any time without prior notice. Such changes shall be effective immediately upon approval by management, unless otherwise stated.
INFORMATION SECURITY POLICY STRUCTURE
1.0 Information Security Program Policy
CXO Nexus shall protect the confidentiality, integrity, and availability of its data and information systems, regardless of how its data is created, distributed, or stored. Security controls will be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and sensitivity of the data and information system, in accordance with all legal obligations.
- Management Direction for Information Security
ORGANIZATION OF INFORMATION SECURITY - POLICY & STANDARDS
2.0 Information Security Organization Policy
CXO Nexus shall implement IT security program management controls to provide a foundation for CXO's Information Security Management System (ISMS).
- Mobile Devices and Teleworking
HUMAN RESOURCE SECURITY - POLICY & STANDARDS
3.0 Human Resource Security Policy
CXO Nexus shall ensure information security best practices are incorporated into Human Resources (HR) personnel management practices.
- Prior to Employment
- Termination and Change of Employment
ASSET MANAGEMENT - POLICY & STANDARDS
4.0 Asset Management Policy
CXO Nexus shall protect its assets and data by ensuring appropriate handling requirements are followed to prevent unauthorized disclosures, regardless if assets or data are being transmitted or stored.
- Responsibility for Assets
- Information Classification
- Media Handling
ACCESS CONTROL - POLICY & STANDARDS
5.0 Access Control Policy
CXO Nexus shall implement the principle of “least privilege” within logical access control mechanisms so that only authorized users to have access to CXO's information systems and data.
- Business Requirements of Access Control
- User Access Management
- User Responsibilities
- System and Application Access Control
ENCRYPTION - POLICY & STANDARDS
6.0 Cryptography Policy
CXO Nexus shall ensure appropriate cryptographic safeguards are in place to protect sensitive business data against loss, unauthorized access, or disclosure.
- Cryptographic Controls
PHYSICAL & ENVIRONMENTAL SECURITY - POLICY & STANDARDS
7.0 Physical and Environmental Security Policy
CXO Nexus shall ensure physical access controls are in place to limit physical access to authorized personnel and provide appropriate environmental controls to protect both data and information systems from environmental hazards.
- Secure Areas
OPERATIONS SECURITY - POLICY & STANDARDS
8.0 Operations Security Policy
CXO Nexus shall implement and maintain appropriate layers of safeguards to protect information systems from possible threats.
- Protection from Malware
- Logging and Monitoring
- Control of Operational Software
- Technical Vulnerability Management
- Information Systems Audit Considerations
COMMUNICATIONS SECURITY - POLICY & STANDARDS
9.0 Communications Security Policy
CXO Nexus shall employ industry-recognized leading practice principles that promote efficient and effective information security protections within information systems and the network.
- Network Security Management
- Information Transfer
SYSTEM ACQUISITION, DEVELOPMENT & MAINTENANCE - POLICY & STANDARDS
10.0 System Acquisition, Development and Maintenance Policy
CXO Nexus shall ensure that application and system development employ adequate security measures during all phases of the System Development Life Cycle (SDLC) to ensure security-related risks are identified and remediated appropriately.
- Security Requirements of Information Systems
- Security in Development and Support Processes
TEST DATA VENDOR MANAGEMENT - POLICY & STANDARDS
11.0 Supplier Relationships Policy
CXO Nexus shall assess service providers to determine if IT security controls are effective. CXO Nexus must ensure service providers implement mechanisms to identify and remediate deficiencies or vulnerabilities on an ongoing basis, in order to ensure the continued effectiveness of IT security controls.
- Information Security in Supplier Relationships
- Supplier Service Delivery Management
INCIDENT RESPONSE - POLICY & STANDARDS
12.0 Information Security Incident Management Policy
CXO Nexus shall maintain an IT security incident handling capability that includes adequate preparation, detection, analysis, containment, recovery, and reporting activities.
- Management of Information Security Incidents and Improvements
BUSINESS CONTINUITY MANAGEMENT - POLICY & STANDARDS
13.0 Business Continuity Management Policy
CXO Nexus shall establish, implement, and maintain plans for the continuity of operations to ensure the availability of CXO's information resources during adverse conditions.
- Information Security Continuity
INFORMATION SECURITY COMPLIANCE - POLICY & STANDARDS
14.0 Compliance Policy
In accordance with all applicable legal requirements, CXO Nexus shall ensure appropriate safeguards are in place to protect sensitive business data against loss, unauthorized access, or disclosure.
- Compliance with Legal and Contractual Requirements
- Information Security Reviews