...
Version | Approved by | Approval date | Effective date | Next review date | |
1.0 | 1 March 20212023 | 1 March 20222025 | |||
Standard Statement | |||||
Purpose | Strong cyber security is an important component of the Seventh-Day Adventist Church digital strategy, enabling the effective use of emerging technologies and ensuring confidence and cyber resilience in the services provided by the Seventh-Day Adventist Church. Cyber security covers all measures used to protect systems and information processed, stored, or communicated on these systems from compromise of confidentiality, integrity, and availability. Cyber security is becoming more important as cyber risks continue to evolve following the steep rise of digital activity in modern life. Furthermore, we have also had rapid technological change resulting in increased cyber connectivity and more dependency on cyber infrastructure. This Standard includes strengthening cyber security governance, identifying, the Church’s most valuable or operationally vital systems or information (“crown jewel”), strengthening cyber security controls, developing a cyber security culture across all staff and volunteers, working across the Church to share security and threat intelligence and a whole of the Church’s approach to cyber incident response. The standard is reviewed constantly and updated based on feedback and emerging cyber security threats. When cyber security risk management is done well, it reinforces organizational resilience, making staff aware of their risk and helps them make informed decisions in managing those risks. This is complemented with meaningful training, communications, and support across all levels of the Church. This standard outlines the requirements to which all Seventh-Day Adventist Church employees, contractors, volunteers, and related entities must adhere, to ensure cyber security risks to their information and systems are appropriately mitigated and managed. | ||||
Scope | This standard applies to all Seventh-Day Adventist Church employees, volunteers, and related entities. It includes other individuals working on the Church’s behalf or using Church-owned ICT resources including contractors, service providers, and other members of the Church’s supply chain who are provided access to the Church’s systems or data as required to deliver contracted services. The standard relates to: Information, data, and digital assets created and managed by the Seventh-Day Adventist Church information and communications technology (ICT) systems, and Operational Technology (OT) that handle the Church’s data or provide critical church services | ||||
Standard | |||||
...
Information, in whatever form, is of fundamental importance to the Church and as such the Church will manage cybersecurity within a framework based on the internationally recognised Information Security Management System Standard ISO 27001.
Cybersecurity risks will be managed, taking into account broader Church objectives, strategies and priorities. A risk management approach will be used to identify, evaluate, and mitigate risks for the Church’s systems and information assets. This is supported by the Information Security Policy Frameworkand related risk management information.
The requirements of the ISO 27001 Standard are based on the following three elements of cybersecurity:
...
Access controls: Methods and controls to manage logical access to sensitive data to protect confidentiality of information as well as integrity and availability requirements. Access requirements are assessed against the Seventh-Day Adventist Church Authentication Framework and the Information Assets Security Classification Policy.Access to Church information and systems must be:
...
attributable to a uniquely identifiable individual who is responsible for actions performed with their system account
based on the requirements of the individual's role
authorised formally by asset owners, routinely revalidated, removed if no longer required, and managed by passwords and multifactor authentication (MFA) according to the Information and Communications Technology Passwords Procedure.
Communications Security: Methods and controls to manage the secure transmission of information to ensure confidentiality of sensitive data and to minimise the risk of data loss or leakage. Systems and networks will be segregated according to their respective cybersecurity risks and use appropriate control mechanisms such as firewalls, gateways, physical isolation, and encryption.
...
Business Continuity: The application of business continuity management will minimise disruption to Church operations, defining the approach to resilience, disaster recovery and general contingency controls. Continuity plans will align with the Church’s Business Continuity Management Framework.
Human Resources: The Church will establish processes and responsibilities relating to cybersecurity during the recruitment process, employment, and separation. Security checks will be conducted prior to employment. All employees will receive cybersecurity awareness training upon induction, and at least annually thereafter.
...
Asset Management: IT assets, including hardware, software and data will be identified and classified and asset inventories will be maintained. The Church will classify and handle all information assets in accordance with Adventist Technology Information Security Policy Framework. The Church will dispose of public records in accordance with the Church Retention and Disposal policy, as or in accordance with the
| Anchor | ||||
|---|---|---|---|---|
|
Data Assurance: The Church will ensure that all reasonable steps are taken to monitor, review and audit cybersecurity effectiveness. This will include the assignment of cybersecurity roles, maintenance of policies and processes and reporting of non-compliance.
...
Data Breach Reporting: The Church has formal processes in place to manage a data breach and the mandatory notifications that are required under the
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...