Emirates Driving Company

INFORMATION SECURITY MANAGEMENT POLICY

EDC is committed towards maintaining and improving Information Security (IS) levels across all the functions. Information covers storage both in hard copy and soft copy. Information Security is to secure information. Security consists of information confidentiality, integrity and availability at the required time. It applies to all information, information systems, networks, applications, all locations and all information users. Scope of lnformation Security covers information under the domain of IT and non-IT.
**The information security management will consist of the following activities:**

Information Security Risk Identification
CEO /All HODs /Head-IT will undertake Information Security Risk Identification on a continual basis, across all the functions, locations that pose threat to business. This consists of threats to the information assets, related vulnerabilities and impacts that may have on the business.
Information Security Risk Assessment
Based on the above security risk identification, security risk assessment will be conducted by independent party. That consists of levels of risk and "consequences arising out of those levels ofrisks. Classify them into acceptable and unacceptable risks.
Information Security Risk Mitigation
All HODs will decide and implement risk mitigation plans & strategies (where required) to bring the Residual Risk to as Low as Reasonably Practicable (ALARP) both in short term and long term. This will ensure IS resilience necessary for business survival and growth.
Information Security Risk Review & Reporting
CEO/All HODs and Process Owners (employees) will be responsible to inform about information security incidents, threats, risks to IT department as required to take effective corrective, preventive and improvement actions to drive continual improvement in IS standards.
Information Security Objectives
All HODs and Process Owners will derive the IS SMART Objectives from this IS Policy. They will work towards achieving these objectives by complying to existing detailed IS procedures issued by IT dept. to all employees.
Compliance to ISO 27001
EDC strives to work towards compliance to ISO 27001 in coming years.

IT Manager is appointed to lead the development and implementation of this IS policy. This policy will be reviewed every 3 years for its continual improvement & suitability and will be amended if required.

INFORMATION SECURITY MANAGEMENT POLICY

Information Security Risk Identification
CEO /All HODs /Head-IT will undertake Information Security Risk Identification on a continual basis, across all the functions, locations that pose threat to business. This consists of threats to the information assets, related vulnerabilities and impacts that may have on the business.
Information Security Risk Assessment
Based on the above security risk identification, security risk assessment will be conducted by independent party. That consists of levels of risk and "consequences arising out of those levels ofrisks. Classify them into acceptable and unacceptable risks.
Information Security Risk Mitigation
All HODs will decide and implement risk mitigation plans & strategies (where required) to bring the Residual Risk to as Low as Reasonably Practicable (ALARP) both in short term and long term. This will ensure IS resilience necessary for business survival and growth.
Information Security Risk Review & Reporting
CEO/All HODs and Process Owners (employees) will be responsible to inform about information security incidents, threats, risks to IT department as required to take effective corrective, preventive and improvement actions to drive continual improvement in IS standards.
Information Security Objectives
All HODs and Process Owners will derive the IS SMART Objectives from this IS Policy. They will work towards achieving these objectives by complying to existing detailed IS procedures issued by IT dept. to all employees.
Compliance to ISO 27001
EDC strives to work towards compliance to ISO 27001 in coming years.