1.1. Overview
- In line with SCA's mission to enhance the principles of fair trading practices and improve the efficiency of UAE capital markets, SCA has embarked upon many initiatives to improve the quality of services delivered.
- THE SCA IT department has initiated the implementation of the Information Security Management System (ISMS) in alignment with the ISO 27001:2013 standard to support the strategic vision of the SCA IT Department and ensure that the information security practices are in line with the industry-wide best practices for information security. This project assists SCA IT to improve the information availability, integrity and confidentiality and put in comprehensive approaches to assess information risks and define a comprehensive treatment plan. As part of this journey, the SCA IT Department also intends to achieve the ISO/IEC 27001:2013 Certification, the only auditable standard available for information security.
- The ISMS implementation has been currently planned for the management of the SCAIT Department. In this regard, the development of ISMS policy is regarded as one of the most important steps as it provides vital principles and directions based on organizational requirements and Information Security priorities.
1.2. Purpose
The purpose of the ISMS policy is to demonstrate and express the intention and commitment of SCA to:
- Protect information assets from all threats, whether internal or external, deliberate or accidental, thereby ensuring uninterrupted services to Employees, Customers and Stakeholders; and
- Manage the risks to an acceptable level through design, implementation and maintenance of an effective Information Security Management system.
This policy forms the basis and identifies vital principles for all Information Security initiatives in SCA.
1.3. Scope
This document defines SCA ISMS policy and principles.
1.4. Applicability
The ISMS Policy applies to all SCA Staff, SCA Contractors and Third-Party Organizations involved in the management of Information Security at SCA.
1.5. Responsibilities
1.5.1. The SCA Information Security Management System (ISMS) Forum is responsible for developing, maintaining, and distributing SCA Security Policies.
1.5.2. The ISMS Forum is responsible for auditing and reporting compliance to SCA Security Policies.
1.5.3. Department Heads / Section Heads are responsible for compliance to SCA Security Policies within their area(s) of concern.
1.5.4. All Employees, Contractors and Third Parties are responsible for reading and understanding the application of the SCA Security Policies.
1.5.5. ISMS Forum is responsible for reviewing SCA Security Policies on a scheduled and ongoing basis to ensure their continuing suitability, adequacy, and effectiveness.
1.6. Key Objectives
The Primary Objectives of this policy are:
1.6.1. SCA shall develop an ISMS framework containing policies, procedures. To establish, implement, operate, monitor, review, maintain and improve a documented Information Security Management System (ISMS) within the organization's overall business activities relating to regulating the capital market sector in the United Arab Emirates.
1.6.2. The SMS framework shall consider business and legal or regulatory requirements and contractual security obligations. (Ref: ISMS Manual).
1.6.3. SCA shall develop a Risk management framework establishing criteria against which risk will be evaluated against business, legal and regulatory requirements. (Ref document on Information Security Risk Management Framework).
1.6.4. Establish a consistent, comparable, and repeatable approach to perform risk assessment and select appropriate controls to mitigate the risk arising from business, legal and regulatory requirements.
1.6.5. Establish a process to classify information assets based on the criticality and develop policies and procedures to assist SCA's IT Department in accomplishing its Security objectives.
1.6.6. ISMS framework also contains procedures to monitor and measure control effectiveness based on continual improvement methods while safeguarding SCA IT information processing systems
The SCA assets shall be protected from threats to Confidentiality, availability and Integrity. This policy also intends to create a secure business environment by developing awareness and imparting education.