Information Security Management System (ISMS) Policy
In line with SCA’s mission to protect investors, enhance the principles of fair trading practices, and to improve the efficiency of UAE capital markets, SCA has embarked upon a number of initiatives to improve the quality of services delivered.
Since one of the most important aspects of ensuring fair trading practices is protection of information, SCA IT Department as a part of its continuous improvement of managing Information Security has initiated the implementation of Information Security Management System (ISMS) in alignment with the ISO 27001:2013 standard to support the strategic vision of SCA IT Department and to ensure that the information security practices are in line with the industry-wide best practices for information security. This project will assist SCA IT to improve the information availability, integrity and confidentiality, and put in comprehensive practices to assess information risks and define comprehensive treatment plan. As part of this journey, SCA IT Department also intends to achieve the ISO/IEC 27001:2013 Certification, which is the only auditable standard available for information security.
The ISMS implementation has been currently planned for management of SCAIT Department. In this regard, development of ISMS policy is regarded as one of the most important steps as it provides key principles and directions based on organizational requirements and Information Security priorities.
The purpose of the ISMS policy is to demonstrate and express the intention and commitment of SCA to:
- Protect information assets from all threats, whether internal or external, deliberate or accidental thereby ensuring uninterrupted services to Employees, Customers and Stakeholders; and
- Manage the risks to an acceptable level through design, implementation and maintenance of an effective Information Security Management system.
This policy forms the basis and identifies key principles all Information Security initiatives in SCA.
This document defines SCA ISMS policy and principles that need to be followed at SCA.
The ISMS Policy applies to all SCA Staff, SCA Contractors and Third Party Organizations who are involved in the management of Information Security at SCA.
1.5.1. The SCA Information Security Management System (ISMS) Forum is responsible for the development, maintenance, and distribution of SCA Security Policies.
1.5.2. The ISMS Forum is responsible for auditing and reporting compliance to SCA Security Policies.
1.5.3. Department Heads / Section Heads are responsible for compliance to SCA Security Policies within their own area(s) of concern.
1.5.4. All Employees, Contractors and Third Parties are responsible for reading and understanding the application of the SCA Security Policies.
1.5.5. ISMS Forum is responsible for the review of SCA Security Policies on a scheduled and on-going basis to ensure their continuing suitability, adequacy, and effectiveness.
1.6. Key Objectives
The Primary Objectives of this policy are:
1.6.1. SCA shall develop ISMS framework containing policies, procedures etc to establish, implement, operate, monitor, review, maintain and improve a documented Information Security Management System (ISMS) within the context of the organization’s overall business activities relating to regulation of capital market sector in United Arab Emirates.
1.6.2. The SMS framework shall takes into consideration of business and legal or regulatory requirements, and contractual security obligations. (Ref: ISMS Manual).
1.6.3. SCA shall develop Risk management framework establishing criteria against which risk will be evaluated against business, legal and regulatory requirements. (Ref document on Information Security Risk Management Framework).
1.6.4. Establish consistent, comparable, and repeatable approach to perform risk assessment and select appropriate controls to mitigate the risk arising out of business, legal and regulatory requirements.
1.6.5. Establish process to classify information assets based on the criticality and shall develop policies and procedures to assist SCA’s IT Department in accomplishing its Security objectives.
1.6.6. ISMS framework also contains procedures to monitor and measure control effectives based on continual improvement methods while safeguarding SCA IT information processing systems
SCA assets shall be protected from threats to Confidentiality, availability and Integrity. This policy also intends to create a secure business environment by developing awareness and imparting education.