Information Security Policy

1 – Purpose

The purpose of this Information Security Policy is to establish and maintain an effective framework for managing information security within My Ancient Pharmacist. This policy aims to protect the confidentiality, integrity, and availability of the company’s information assets, including customer data, financial records, and proprietary systems. By implementing this policy, the organization seeks to demonstrate its commitment to compliance with relevant legal, regulatory, and contractual requirements, such as GDPR and HIPAA, and to instill a culture of security awareness and responsibility among its employees.

2 – Scope

2.1. Departments
This policy applies to all departments within My Ancient Pharmacist, including Administration, Software Development, QA Testing, Customer Support, and Sales & Marketing. All employees, contractors, and third-party users operating within these departments are expected to adhere to the requirements outlined in this policy.

2.2. Types of data
The scope of this policy encompasses the protection of sensitive data, including Customer Personal Identifiable Information (PII) and Financial Data. This also includes any other information assets that are deemed critical to the operations and reputation of the organization.

2.3. Key information assets
The policy covers the protection of key information assets such as the Customer Database, Employee Records, Financial System, Project Management Software, Source Code Repository and Web Applications, Company Website, and Internal Documentation. These assets are vital to the organization’s business processes and must be safeguarded against unauthorized access, disclosure, or modification.

3 – Information Security Objectives

– Ensure the confidentiality, integrity, and availability of customer data, financial records, and proprietary systems by implementing appropriate security controls and measures.
– Comply with GDPR and HIPAA regulations to protect the privacy and security of personal and health-related information.
– Minimize the risk of data breaches, unauthorized access, and data loss through the implementation of robust security practices and ongoing risk assessments.
– Foster a culture of security awareness and accountability among employees through regular training and communication initiatives.

4 – Data Classification

The organization shall classify data into categories such as Public, Internal Use Only, Confidential, and Highly Restricted based on the sensitivity, criticality, and regulatory requirements associated with the data. This classification will guide the implementation of appropriate security controls and access privileges to ensure the protection of the organization’s information assets.

5 – Roles and Responsibilities

My Ancient Pharmacist recognizes the critical importance of clearly defined roles and responsibilities in ensuring the effective implementation and maintenance of information security within the organization. The following roles and responsibilities have been established to support the Information Security Management System (ISMS) and to ensure the protection of sensitive information:

Information Security Officer (ISO):
– The Information Security Officer is responsible for overseeing the development, implementation, and maintenance of the ISMS.
– The ISO is accountable for ensuring that information security objectives are aligned with business goals and for providing guidance on information security matters.

Department Heads:
– Each department head is responsible for ensuring that information security policies, procedures, and guidelines are communicated, understood, and adhered to within their respective departments.
– They are accountable for identifying and reporting information security risks and incidents within their areas of responsibility.

Employees:
– All employees are responsible for familiarizing themselves with the information security policies, procedures, and guidelines relevant to their roles.
– They are accountable for reporting any suspected security weaknesses, breaches, or incidents to the appropriate department head or the Information Security Officer.

6 – Access Control

Access control is a fundamental component of My Ancient Pharmacist’s information security strategy, aimed at safeguarding the confidentiality, integrity, and availability of sensitive data. The following access control measures have been implemented to mitigate the risk of unauthorized access:

User Access Management:
– Access to information systems and data is granted based on the principle of least privilege, ensuring that employees have access only to the resources necessary for their roles.
– User access rights are reviewed and updated regularly to align with employees’ job functions and responsibilities.

Authentication:
– Employees access company systems and data exclusively through company-issued devices, which are configured to enforce strong authentication measures.
– Two-factor authentication is mandatory for all systems, adding an extra layer of security to the authentication process.

Compliance Requirements:
– My Ancient Pharmacist complies with GDPR and HIPAA regulations, which necessitate stringent access controls to protect personal identifiable information and protected health information.
– Access control measures are continuously assessed and enhanced to ensure compliance with legal, regulatory, and contractual requirements.

By establishing clear roles and responsibilities and implementing robust access control measures, My Ancient Pharmacist aims to uphold the highest standards of information security and fulfill its legal and regulatory obligations.

7 – Security Measures

7.1 Physical Security Measures
Our office is secured with card-based access control to restrict unauthorized access.
Security cameras are installed at all entrances and exits to monitor and record activities.
Visitors are required to sign in, providing an additional layer of security and accountability.

7.2 Change Management Process
All system changes are tracked through a Change Management System to maintain a record of modifications.
Changes must be approved by the CISO before implementation to ensure oversight and accountability.
All changes are tested in a separate environment before deployment to mitigate the risk of disruptions to live systems.

7.3 Information Transmission Security
We encrypt all data in transit using SSL/TLS protocols to safeguard information during transmission.
Our email system uses secure email gateways for outbound and inbound traffic, enhancing the security of communication channels.

7.4 Incident Management Process
We follow a predefined Incident Response Plan for any security incidents to ensure a structured and effective response.
All incidents are logged, investigated, and lessons learned are incorporated into our security procedures to continuously improve our incident response capabilities.

7.5 Business Continuity Plan
We have a Business Continuity Plan that includes regular data backups to mitigate data loss risks.
A disaster recovery site is in place to ensure continuity of operations in the event of a major disruption.
Predefined roles and responsibilities for the management team are established to facilitate a coordinated response during business continuity events.

These security measures are designed to align with the legal, regulatory, and contractual requirements that our company needs to comply with, including GDPR and HIPAA regulations.

8 – Training and Awareness

My Ancient Pharmacist recognizes the critical importance of ongoing training and awareness programs to ensure the effective implementation of information security policies and procedures. All employees, contractors, and third-party users with access to our systems and data are required to undergo regular security awareness training. This training will cover topics such as data handling best practices, phishing awareness, password security, and the specific requirements of GDPR and HIPAA regulations.

Employees will be informed about the latest cybersecurity threats and the potential impact on the organization. Training sessions will be conducted at regular intervals, and employees will be required to stay up to date with the latest security practices and policies. Additionally, specific training programs will be tailored for departments handling sensitive data, such as Customer Support and Software Development, to address their unique security challenges.

Regular awareness campaigns will be conducted to reinforce the importance of information security across the organization. These campaigns will include email reminders, posters in common areas, and other communication channels to ensure that information security remains at the forefront of employees’ minds.

9 – Policy Compliance

Policy compliance is a fundamental aspect of our information security management system. My Ancient Pharmacist is committed to ensuring that all employees, contractors, and third-party users adhere to the established information security policies and procedures. Non-compliance with these policies may result in disciplinary action, up to and including termination of employment or contract.

Regular audits and assessments will be conducted to monitor and enforce policy compliance. These audits will include reviews of access logs, system configurations, and employee adherence to security protocols. Any identified non-compliance issues will be addressed promptly, and corrective actions will be implemented to prevent recurrence.

Employees will be required to acknowledge their understanding and acceptance of the information security policies. This acknowledgment will be documented and kept on file to demonstrate policy compliance. Furthermore, employees will be encouraged to report any potential policy violations or security concerns through established reporting channels without fear of reprisal.

10 – Review and Updates

My Ancient Pharmacist is committed to regularly reviewing and updating its information security policies and procedures to adapt to the evolving threat landscape and changing business requirements. The Information Security Officer will be responsible for conducting periodic reviews of the ISMS to ensure its continued effectiveness and relevance.

Reviews will include assessments of the organization’s security posture, the results of security incidents and breaches, feedback from employees, and any changes in legal or regulatory requirements. Based on these reviews, necessary updates to the ISMS will be proposed and implemented to address any identified gaps or deficiencies.

Updates to the ISMS will be communicated to all relevant stakeholders, and employees will be provided with training on any new or revised policies and procedures. Additionally, a documented history of changes to the ISMS will be maintained to track the evolution of our information security practices over time.

11 – Definitions

Confidentiality: The principle of preventing unauthorized access to information. It ensures that information is accessible only to those authorized to have access.
Integrity: The assurance that information is trustworthy and accurate. It refers to protecting data from being altered or tampered with by unauthorized individuals.
Availability: The guarantee that authorized users have access to information and associated assets when required.
Personal Identifiable Information (PII): Any data that can be used to identify a specific individual, including names, addresses, phone numbers, and social security numbers.
Protected Health Information (PHI): Any information about health status, provision of health care, or payment for health care that can be linked to an individual.
Risk Assessment: The process of identifying, evaluating, and analyzing risks associated with organizational operations, particularly in terms of information security.
Change Management: The systematic approach to dealing with changes, both from the perspective of an organization and on the individual level.
Incident Management: The process of identifying, managing, and analyzing security breaches or attacks to prevent future occurrences.
Business Continuity Plan (BCP): A plan that outlines procedures and instructions an organization must follow in the face of disaster, in order to continue its daily operations.
Two-Factor Authentication (2FA): A security process in which users provide two different authentication factors to verify themselves.
Virtual Private Network (VPN): A technology that creates a safe and encrypted connection over a less secure network, such as the internet.
SSL/TLS (Secure Sockets Layer/Transport Layer Security): Protocols for establishing authenticated and encrypted links between networked computers.