...
Information, in whatever form, is of fundamental importance to the Church and as such the Church will manage cybersecurity within a framework based on the internationally recognised Information Security Management System Standard ISO 27001.
Cybersecurity risks will be managed, taking into account broader Church objectives, strategies and priorities. A risk management approach will be used to identify, evaluate, and mitigate risks for the Church’s systems and information assets. This is supported by the Information Security Policy Frameworkand related risk management information.
The requirements of the ISO 27001 Standard are based on the following three elements of cybersecurity:
...
Access controls: Methods and controls to manage logical access to sensitive data to protect confidentiality of information as well as integrity and availability requirements. Access requirements are assessed against the Seventh-Day Adventist Church Authentication Framework and the Information Assets Security Classification Policy.Access to Church information and systems must be:
...
attributable to a uniquely identifiable individual who is responsible for actions performed with their system account
based on the requirements of the individual's role
authorised formally by asset owners, routinely revalidated, removed if no longer required, and managed by passwords and multifactor authentication (MFA) according to the Information and Communications Technology Passwords Procedure.
Communications Security: Methods and controls to manage the secure transmission of information to ensure confidentiality of sensitive data and to minimise the risk of data loss or leakage. Systems and networks will be segregated according to their respective cybersecurity risks and use appropriate control mechanisms such as firewalls, gateways, physical isolation, and encryption.
...
Business Continuity: The application of business continuity management will minimise disruption to Church operations, defining the approach to resilience, disaster recovery and general contingency controls. Continuity plans will align with the Church’s Business Continuity Management Framework.
Human Resources: The Church will establish processes and responsibilities relating to cybersecurity during the recruitment process, employment, and separation. Security checks will be conducted prior to employment. All employees will receive cybersecurity awareness training upon induction, and at least annually thereafter.
...
Asset Management: IT assets, including hardware, software and data will be identified and classified and asset inventories will be maintained. The Church will classify and handle all information assets in accordance with Adventist Technology Information Security Policy Framework. The Church will dispose of public records in accordance with the Church Retention and Disposal policy, as or in accordance with the
| Anchor | ||||
|---|---|---|---|---|
|
Data Assurance: The Church will ensure that all reasonable steps are taken to monitor, review and audit cybersecurity effectiveness. This will include the assignment of cybersecurity roles, maintenance of policies and processes and reporting of non-compliance.
...
Data Breach Reporting: The Church has formal processes in place to manage a data breach and the mandatory notifications that are required under the
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...