- contact@expertsrefuge.com
- +212 5 22 30 72 53
- 11, Avenue des FAR, 11ème étage, Casablanca, Morocco
1. Introduction
The Information Security Policy of EXPERTS REFUGE is designed to protect information and informational assets against potential threats, whether internal or external, accidental or intentional. This policy defines the principles, practices, and responsibilities to ensure the confidentiality, integrity, and availability of the information we handle.
2. Objectives
- Confidentiality: Ensure that information is accessible only to authorized individuals.
- Integrity: Ensure that information is accurate, complete, and not altered in an unauthorized manner.
- Availability: Ensure that information is accessible to authorized users when needed.
3. Scope
This policy applies to all employees, partners, contractors, and other stakeholders of EXPERTS REFUGE who have access to the information systems and data the company handles.
4. Information Security Organization
4.1 Training and Awareness
- Initial Training: All employees must undergo training on information security at the time of hire. This training includes security policies, password management practices, and recognition of potential threats such as phishing.
- Awareness Campaigns: Awareness campaigns should be conducted to reinforce the security culture within the company.
5. Asset Management
5.1 Asset Inventory
- Asset Identification: A complete inventory of all informational assets (equipment, software, data) must be maintained. Each asset should be recorded with details such as type, location, and responsible person.
- Asset Classification: Assets should be classified according to their importance and sensitivity. Common categories include public data, internal data, confidential data, and sensitive data.
5.2 Asset Protection
- Physical Controls: Equipment must be protected against unauthorized access, theft, and physical damage. Offices and server rooms should be locked, and access should be controlled through badges or codes.
- Logical Controls: Systems should be protected by appropriate access controls, such as firewalls, antivirus software, and intrusion detection systems.
6. Access Control
6.1 Credential Management
- Credential Creation: Credentials must be unique and assigned based on employees’ access needs. Passwords should meet complexity standards (minimum length, mix of characters, etc.).
- Credential Reset: Credentials must be reset periodically, and passwords should be changed if compromise is suspected.
6.2 Access Revocation
- Revocation Process: When an employee leaves the company or changes roles, their access must be immediately revoked. The process should include disabling user accounts and retrieving equipment.
- Access Audits: Regular audits should be performed to ensure access is correctly configured and employees have only the privileges necessary for their roles.
7. Physical and Environmental Security
7.1 Access to Premises
- Access Control: Access to sensitive areas should be restricted to authorized individuals. Visitors should be logged and escorted at all times.
- Surveillance: Surveillance systems and alarms should be installed in critical areas to detect and deter unauthorized access.
7.2 Equipment Protection
- Environmental Conditions: Equipment should be protected against environmental risks such as fires, floods, and power failures. Protective measures like fire extinguishers, uninterruptible power supplies (UPS), and climate control systems should be in place.
8. Communications and Operations Security
8.1 Network Security
- Network Architecture: Networks should be segmented to limit access to sensitive information. Firewalls and intrusion prevention systems should be configured to protect against external attacks.
- Encryption: Sensitive data should be encrypted in transit using robust encryption protocols (e.g., TLS). Encryption of data at rest is also recommended for critical information.
8.2 Data Security
- Backups: Regular backups should be performed to ensure data recovery in case of loss or corruption. Backups should be stored securely and tested regularly for integrity.
- Device Management: Mobile devices (laptops, smartphones) should be protected by passwords and encryption. Loss or theft of these devices should be reported immediately.
9. Incident Management
9.1 Detection and Response
- Incident Detection: Monitoring and detection tools should be used to identify security incidents in real-time. Alerts should be configured to signal any suspicious activity.
- Incident Response: An incident response plan should be developed and implemented. Steps include notifying stakeholders, analyzing the incident, and implementing corrective measures.
9.2 Post-Incident Analysis
- Analysis: After an incident, a detailed analysis should be conducted to understand the root causes and impacts. The analysis report should include recommendations to prevent recurrence.
- Improvements: Lessons learned from the analysis should be incorporated into security practices and policies to continuously improve the company’s security posture.
10. Business Continuity
10.1 Continuity Plan
- Plan Development: A business continuity plan must be developed to ensure critical operations can continue during major disruptions. The plan should include backup procedures, recovery plans, and emergency contacts.
10.2 Change Management
- Change Procedures: Significant changes to information systems and processes must be planned, assessed, and approved before implementation. Changes should be documented and reviewed to avoid disruptions or vulnerabilities.
11. Compliance and Review
11.1 Legal Compliance
- Regulatory Compliance: All security practices must comply with applicable laws and regulations.
11.2 Policy Review
- Regular Reviews: This policy should be reviewed at least annually or in response to major changes in business activities or regulations. Updates should be communicated to all employees and stakeholders.
12. Contact
For any questions or concerns regarding this Information Security Policy, please contact:
EXPERTS REFUGE
Email: support@expertsrefuge.com
Phone: +212 5 22 30 72 53
Address: 11, Avenue des FAR, 11th Floor, Casablanca, 20250, Morocco
This charter reflects the core values of EXPERTS REFUGE and guides our daily actions to maintain an ethical and integral working environment.