Effective Date: January 1st, 2024
1. Introduction
This Security Policy outlines the security measures and procedures implemented by Next Dimension Inc, and Next Dimension US Inc (“ND”) to protect the integrity, confidentiality, and availability of the services provided to our clients. This policy applies to all employees, contractors, and clients of ND.
2. Purpose
The purpose of this Security Policy is to establish the standards for maintaining a secure environment for our Services. This includes the protection of client data, the prevention of unauthorized access, and the mitigation of security risks.
3. Scope
This policy applies to all systems, networks, applications, and data managed by ND, including all physical and virtual environments.
4. Security Management
4.1 Governance and Responsibility
-
- ND’s senior management is responsible for the overall security posture of the organization.
- A designated Security Officer is responsible for the implementation, maintenance, and enforcement of this policy.
4.2 Risk Management
-
- Regular risk assessments must be conducted to identify and mitigate security risks.
- A risk management plan will be developed and updated regularly based on the results of risk assessments.
5. Access Control
5.1 User Access Management
-
- Access to systems and data is granted based on the principle of least privilege.
- User accounts must be uniquely identifiable and authenticated before access is granted.
- Regular reviews of user access rights must be conducted to ensure appropriateness.
5.2 Password Policy
-
- Strong passwords are required for all user accounts.
- Passwords must be changed regularly and must not be reused.
- Multi-factor authentication (MFA) is required for access to sensitive systems and data.
6. Data Protection
6.1 Data Classification and Handling
-
- Data must be classified based on its sensitivity and handled accordingly.
- Sensitive data must be encrypted during transmission and at rest.
- Regular backups of critical data must be performed and stored securely.
6.2 Data Retention and Disposal
-
- Data retention policies must be established based on legal, regulatory, and business requirements.
- Secure methods of data disposal must be implemented to prevent unauthorized access to discarded data.
7. Network Security
7.1 Network Segmentation
-
- Networks must be segmented to limit the spread of potential security incidents.
- Access between different network segments must be controlled and monitored.
7.2 Firewall and Intrusion Detection
-
- Firewalls must be implemented to protect the network perimeter and critical internal segments.
- Intrusion detection and prevention systems (IDPS) must be deployed to detect and respond to potential security incidents.
8. Incident Management
8.1 Incident Response Plan
-
- An incident response plan must be developed and maintained to address security incidents.
- All employees must be trained on the incident response plan and their roles in the event of an incident.
8.2 Reporting and Communication
-
- All security incidents must be reported immediately to the Security Officer.
- Communication plans must be in place to inform affected clients and stakeholders in the event of a significant security incident.
9. Physical Security
9.1 Facility Access Control
-
- Physical access to facilities housing critical systems and data must be restricted to authorized personnel.
- Access logs must be maintained and reviewed regularly.
9.2 Environmental Controls
-
- Environmental controls such as temperature, humidity, and power supply must be monitored and maintained to protect equipment.
10. Employee Training and Awareness
10.1 Security Awareness Training
-
- Regular security awareness training must be provided to all employees and contractors.
- Training must cover the security policies, procedures, and best practices.
10.2 Role-Based Training
-
- Additional, role-specific security training must be provided to employees with access to sensitive systems and data.
11. Compliance and Audits
11.1 Regulatory Compliance
-
- The ND must comply with all applicable legal and regulatory requirements related to security.
- Regular audits must be conducted to ensure compliance with this policy and applicable regulations.
11.2 Internal Audits
-
- Internal audits of the security controls and processes must be conducted regularly to identify and address any weaknesses.
12. Policy Review and Updates
This policy must be reviewed and updated regularly, at least annually, to ensure its continued effectiveness and relevance. Any changes to the policy must be approved by senior management.