Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Policy
Version 1.31
- unclassified -
Information Security Policy
Document Attributes
th
1.20 November 9 , 2015 Changes according to Working Group “Cyber
alignment to “Cyber Security”
Security” requirements
th
1.30 April 4 , 2016 Changes according to Working Group
alignment to “ISO/IEC “ISO/IEC 27002:2013”
27002:2013”
th
1.30 April 5 , 2016 Approved by ISC Working Group
“ISO/IEC 27002:2013”
th
1.30 April 14 , 2016 Approved by IT Board Working Group
“ISO/IEC 27002:2013”
nd
1.31 February 22 , 2018 Minor release approved Corporate IT Office
by ISC
Table of Contents
1. Introduction ........................................................................................................ 6
1.1. About this Document .......................................................................................................................... 6
1.2. Objectives ........................................................................................................................................... 7
1.3. Principles ............................................................................................................................................ 7
1.4. Review and Evaluation ....................................................................................................................... 8
2. Scope .................................................................................................................. 9
A. Appendix ........................................................................................................... 29
A.1. Technical Terms ............................................................................................................................... 29
1. Introduction
Information is an asset which, like other important business assets, has value to
Deutsche Post DHL Group (DPDHL) and, consequently, must be suitably
protected. Information Security protects information from a wide range of threats,
in order to ensure business continuity, to minimize business damage, and to
maximize return on investments and business opportunities.
Information can exist in many forms. It can be printed or written on paper, stored
electronically, transmitted by post or electronic means, shown on film, or spoken
in conversation. Whatever form the information takes, or whatever ways it is
shared or stored, it should always be appropriately protected.
Information Security is characterized here as the preservation of:
Confidentiality: Ensuring that information is accessible to those with
authorized access.
Integrity: Safeguarding the accuracy and completeness of information, and
processing methods, and ensuring that a transaction cannot be disputed.
Availability: Ensuring that authorized users have access to information and
associated assets, when required.
This document specifies the control objectives for managing information risks and
risks arising from “Cyber Space”, within DPDHL. The control requirements
describe the minimum technical measures, which must be applied to DPDHL
information, information systems, and data.
1.2. Objectives
This document details the required minimum practices, which are common across
the organization and replace all other DPDHL Information Security policies and
standards.
1.3. Principles
The underlying principle behind Information Security, within DPDHL, is that
divisions will meet or exceed the International Standards Organization - Standard
for Information Security Management (ISO 27002:2013) control requirements,
unless regulatory requirements or local laws stipulate otherwise. This document
contains, among others, all of the controls specified in ISO 27002:2013 and
describes them in terms relevant and appropriate to DPDHL.
Complementary to Information Security, it includes controls to preserve Cyber
Security within DPDHL Group specified in Cyber Security best practice standards
(e.g. “Framework for Improving Critical Infrastructure Cybersecurity” (NIST)).
Accordingly, Information Security in the sense of this document also covers Cyber
Security.
This group standard establishes basic Information Security principles, criteria, and
practices, and provides guidelines for establishing, planning, carrying out, and
documenting Information Security, within DPDHL. In all cases, legal requirements
for Information Security, such as data protection legislation, banking or postal
secrecy requirements, or other requirements, such as contractual obligations to
third parties, must be complied with fully and unequivocally. Compliance to this
group standard does not need to result in full compliance to local regulation.
The Information Security standards define some recommendations of the ISO
standard as mandatory (i.e., a must). Where there are legal, regulatory,
operational, or technical reasons where this control cannot be complied with, a
formal exception from the DPDHL control requirements, of the DPDHL
Information Security standards, must be documented. This exception must be
approved by the Business Owner of the relevant process, the divisional CIO, and
the respective divisional Chief Information Security Officer (CISO), according to
chapter 20 of these Information Security standards, since exceptions are treated
as risks. Exceptions must be treated as risks, with the respective review cycles.
An Information Security policy document must be approved by the management,
published, and communicated to all employees, and relevant external parties,
according to the requirements stated in chapter 5 of the Information Security
control standards.
2. Scope
The Information Security policy sets forth the requirements for basic Information
Security measures, which must be implemented, within DPDHL. All employees
and third-party operators of information technology systems (IT systems) for
DPDHL and its affiliated companies, as well as the users in these organizations,
are required to comply with the requirements set forth in this document.
The document supports the following strategic goals for Information Security:
Ensuring the availability of DPDHL computer systems, so they meet the
company’s information technology (IT) and information and communications
technology (ICT) requirements.
Achieving a high level of confidentiality and availability, for all data processed
in these operative systems.
Achieving a level of data integrity and confidentiality that meets the
requirements of all DPDHL divisions and subsidiaries.
Ensuring that Information Security for the DPDHL business operations is
conducted properly.
Protecting information in all relevant business environments is a common interest
of the Information Security functions, as well as the Corporate Security and the
divisional security functions. The Corporate Security and the divisional security
functions are responsible for aspects of Information Security where it concerns
people, physical assets and the public reputation of DPDHL, which is defined in
accordance with the Corporate Security policy and excluded from the scope of
this policy.
The procedures and rules set forth in this policy define the compulsory minimum
protection level, which applies to all assets of DPDHL specified in chapter 8.
However, some customers or applications may require more than the minimum
level of Information Security protection. When this is the case, specific Information
Security procedures should be defined and implemented by the competent
technical department, in cooperation with the Information Security departments of
the respective divisions.
Must not: “Must not” shall mean the condition is an absolute prohibition
of the standard (same as “Shall not”).
Should not: “Should not” shall mean there may exist valid reasons, in
particular circumstances, when the particular behavior is
acceptable or even useful, but the full implications should be
understood and the case carefully weighed, before
implementing any behavior described with this label (same as
“Not recommended”).
Should: “Should” shall mean there may exist valid reasons, in particular
circumstances, to ignore a particular item but the full
implication must be understood, and carefully weighed, before
choosing a different course (same as “Recommended”).
8. Asset Management
All media must be effectively managed through its lifetime; this includes
procurement or creation, usage, transportation, storage, and at end of life
irrevocable destruction. Any existing and applicable information management
policy, or document retention guidelines, must be adhered to.
9. Access Control
10. Cryptography
All physical facilities must have access controls to prohibit unauthorized access.
11.2. Equipment
All equipment used to store, process, and transport DPDHL information must be
protected, during its lifetime. When a device reaches the end of its life, it must be
irrevocably wiped or cleansed, and appropriately disposed of.
12.3. Backup
Backup and restore procedures, and retention periods, must be sufficient to
maintain the integrity and availability of information, and information-processing
systems.
18. Compliance
A. Appendix
A.1. Technical Terms
Asset: Assets are distinguished in asset types of IT assets, Information
Security organizational assets, and information data assets,
according to chapter 8 of the Information Security control
standards.
External staff: Individuals who do not have an employee contract with the
company.
1
Based on ISO 27005
2
ISO 27001:2005
Parameters: Provide common and consistent criteria for comparing all risks
to be managed.
RACI - matrix
Threshold: Thresholds are preset filter settings for searching the reporting
item list. Thresholds do not limit any reporting data amount. All
divisional reporting data enter the corporate report.
Note: Thresholds underlie the Information Security management
review process, according to chapter 4.
3
Based on ISO 27000