Information Security Policy

Abu Dhabi Government

Ve r s i o n 2 . 0
This document is developed by:
Information Security Policy
Abu Dhabi Government
Version 2.0
H.H. Sheikh Khalifa Bin Zayed Al Nahyan
President of the United Arab Emirates - Ruler of Abu Dhabi
 H.H. General Sheikh Mohamed Bin Zayed Al Nahyan
Crown Prince of Abu Dhabi - Deputy Supreme Commander of the UAE Armed Forces
Chairman of Executive Council - Abu Dhabi
With the issuance of the 2nd version of the Information Security Policy,
Abu Dhabi marks a new milestone of technology development, seeking
the promotion of various work scopes across all sectors; in line with the
high performance-based E-Government vision which provides internationally
standardized services for all its users.

Abu Dhabi government has attached great importance to utilizing

cutting edge technology in developing and enhancing the quality of
public services, and hence facilitating the overall process for users. The
emirate has achieved a remarkable progress in this area; the use and
sharing of electronic information have become essential practices within
all government entities. Such irreversible progress necessitated the
establishment of a system to ensure the confidentiality, availability and integrity of government
information, which ensued in the issuance of the 1st version of Information Security Policy in 2009.

The 2nd version is the fruit of an ongoing process of revision and updating of information security
standards. The aim is to reflect the government’s constant commitment to ensuring full protection
of Abu Dhabi Government’s information, along with keeping abreast of the rapid changes and
development in the field of information technology.

The Information Security Policy is a pivotal part of the Abu Dhabi E-Government strategy, as
it aims at supporting both the design and coordination of services, as well as providing secure
government information through effective policies and standards. The Policy also oversees practices
of information security in government entities, and ensures that access to information systems and
their sources is controlled.

Moreover, the Policy constitutes a holistic framework that includes information security, both
within and beyond the electronic system range. Thus, such document sets out the standards and
requirements to be implemented for information security and protection.

As the managing entity of the Policy, the Abu Dhabi System and Information Center will oversee the
appropriate implementation of such program in order to achieve the desired objectives.

All government entities are to incorporate information security as an integral part in their
operational processes and activities, and ensure that security and risk related procedures are
indispensable drivers of decision-making policies in this regards.

We wish our endeavours will meet with success, so we can contribute to Abu Dhabi’s progress
and prosperity, under the wise leadership of His Highness Sheikh Khalifa bin Zayed Al Nahyan,
President of the United Arab Emirates, and His Highness General Sheikh Mohamed bin Zayed
Al Nahyan, Crown Prince of Abu Dhabi, Deputy Supreme Commander of the UAE Armed Forces
and Chairman of the Abu Dhabi Executive Council.

Dr. Ahmed Mubarak Al Mazrouei

Secretary-General of the Executive Council
Document Configuration Control
Version Release Date Summary of Changes Release
Approval
1.0 18 November 2008 First Draft GSEC
2.0 23 January 2013 New version reflecting GSEC
revision to security domains

A review and update of this document will take place when changes require revising
the Information Security Policy. Such modifications may relate to changes in roles and
responsibilities, release of new legislation or technical guidance or the identification
of a new policy area. The General Secretariat of the Abu Dhabi Executive Council, in
consultation with appropriate parties, will approve all revisions to this Information
Security Policy. When approved, a new version of the Information Security Policy
will be issued, and all affected Abu Dhabi personnel will be informed of the changes.

This document should be distributed to:

Title Format
Heads of All Abu Dhabi Electronic copy; hard copy
Government Entities

This document should be stored:

Location Format Owner

Abu Dhabi Portal Electronic copy ADSIC
ADSIC Website and Office Electronic copy; hard copy ADSIC

This document affects the following persons:

Group
All Abu Dhabi Government Entity personnel, contractors, and third party
individuals directly or indirectly involved in the provision government services.
Contents
Definitions 1

CHAPTER 1 Introduction 7
1.1 Purpose 8
1.2 Scope 8
1.3 Compliance and Enforcement 10
1.4 Authorities 10

CHAPTER 2 Information Security Domains 13

2.1 Information Security Governance
15
2.2 Information Security Risk Management 15
2.3 Human Resources Security 16
2.4 Third Party Supplier Security 16
2.5 Information Security Training, 16
Awareness and Communication
2.6 Information Asset Management 17
2.7 Physical and Environmental Security 17
2.8 Information Systems Design, Development and Testing 17
2.9 Identity and Access Management 18
2.10 Information Systems Operations Management 18
2.11 Information Security Incident Management 19
2.12 Information Systems Continuity Management 19

CHAPTER 3 Roles and Responsibilities 21

3.1 The General Secretariat of Abu Dhabi Executive Council 23
3.2 Abu Dhabi Systems & Information Centre (ADSIC) 23
3.3 Abu Dhabi Information Security 24
Working Group (AD-ISWG)
3.4 Abu Dhabi Government Entities (ADGEs) 25
Definitions
Definitions
Information asset Any knowledge or data, whether tangible or intangible,
that has a value to the organisation, such as information or
information systems.

Emirate The Emirate of Abu Dhabi.

Information Security Protection of information and information systems from

unauthorised access, use, disclosure, disruption, modification
or destruction in order to provide confidentiality, integrity,
availability, authentication and non-repudiation.

Information Security A prioritised structuring and deployment of resources in order

Programme to achieve a defined set of Information Security capabilities.

Information Any equipment or interconnected system or subsystem of

Technology equipment that is used in the automatic acquisition, storage,
manipulation, management, movement, control, display,
switching, interchange, transmission, or reception of data.

Threat A potential cause of an unwanted incident, which may

result in harm to a system or organization.

Availability Ensuring timely and reliable access to, and use of, information.

Vulnerability A weakness within an asset, or group of assets, that can be

exploited by one or more threats to manifest a risk.

Abu Dhabi Any Abu Dhabi Government department, agency, institution,

Government Entities authority, board, centre or wholly-owned company or
subsidiary; whether its budget falls within the general budget
of the government or is independent of it.

Information Security A single or series of unwanted or unexpected Information

Incident Security events that have a significant probability of
compromising business operations or threatening
Information Security.

Privacy The protection of personal data that are being processed

and/or stored by the Abu Dhabi government entities.

2 Information Security Policy

 Definitions

Confidentiality The act of preserving authorised restrictions on information

access and disclosure, including means for protecting
personal privacy and proprietary information.

Integrity The act of guarding against improper information

modification or destruction, and includes ensuring
information non-repudiation and authenticity.

Chief Information The Entity representative with day-to-day responsibility for

Security Officer (CISO) managing the Entity’s Information Security Programme.
The CISO works on behalf of the Information Security
Governance Committee in ensuring that the organisation’s
Information Security objectives are met. Depending upon
the size of the organisation, its business processes and risk
profile, the CISO role may be either full or part-time and
may be augmented with additional information security
personnel, as judged necessary by the Entity.

Information Security The decision-making and resource allocation body with

Governance Committee primary accountability for ensuring the Entity’s Information
(ISGC) Security programme is adequately designed, resourced,
monitored and is appropriately aligned with other relevant
initiatives. The ISGC should be composed of executive-level
representatives equipped to provide sponsorship of the
Entity’s Information Security programme and will provide
oversight of the work of the Chief Information Security
Officer and any supporting security organisation.

Third Party An individual or organisation that is recognised as being

independent of the parties involved. In the context of these
Standards, the term ‘third party’ will normally refer to
third-party (i.e. external) suppliers, unless otherwise stated.

Information Security Management and functional domains that are grouped into
Domains 12 specific families (e.g. Information Security Governance,
Information asset Management etc.) in order to provide
the foundation for a comprehensive Information Security
Programme.

3
Abu Dhabi Information
Security Working Group
(AD-ISGC)
An information sharing body led by the Abu Dhabi Systems
and Information Centre and composed of Chief Information
Security Officers of Abu Dhabi Government Entities. The
AD-ISGC provides a forum for two-way communication on
Information Security matters of relevance and applicability
across multiple Abu Dhabi Government Entities. The
AD-ISGC provides Entities with a mechanism for proposing
improvements to Information Security capabilities across
the government of Abu Dhabi.

Risk Exposure to danger, harm or loss that may be encountered

when vulnerability is exploited by a threat.

The level of impact on entity services, information assets, or

individuals resulting from the potential consequences of a
threat and the likelihood of that threat occurring.

ADSIC Abu Dhabi Systems and Information Centre, established

pursuant to Abu Dhabi Law No.18 of 2008.

‘Production’ Information systems transition through a lifecycle of:

Information System i) ‘Design’ ii) ‘Development’ iii) ‘Testing’ iv) ‘Production’ and
v) ‘Retirement/Replacement’.

Information systems will have ‘Production’ status when

being used to access, modify, transmit or store the entity’s
business records.

Controls The application of people, process and/or technology in

support of transacting business and managing risk. Controls
can be technical or managerial in nature.

Control Standards, as defined within the Abu Dhabi

Information Security Standards, provide definition of control
categories and types expected to be implemented by Abu
Dhabi Government Entities.

Information Any communication or representation of knowledge such

as facts, data or opinions in any medium or form; including
textual, numerical, graphic, cartographic, narrative, audio or
visual forms.

4 Information Security Policy

 Definitions

Authorising Official Individual who has the ultimate responsibility to accredit all
Government services. This individual accepts responsibility
for the security of the service and accountability for any
adverse impacts to the entity if a breach of security occurs.

Information System A discrete set of information resources organised for

the collection, processing, maintenance, use, sharing,
dissemination or disposal of information, including manual
processes or automated processes. This includes information
systems used by an entity either directly or used by another
entity, or a contractor under a contract with the entity
that: (i) requires the use of such information systems; or (ii)
requires the use, to significant extent, of such information
systems in the performance of a service or the furnishing of
a product. Information systems may generate outputs that
are electronic and/or paper-based.

Recovery Point The maximum tolerable period in which data might be lost.
Objective (RPO)

Recovery Time The maximum tolerable outage that can be accepted on an

Objective (RTO) information system.

5
 CHAPTER 1
Introduction
Introduction
1.1 Purpose
The Information Security Policy is considered the primary reference for Abu Dhabi
Government Information Security. The purpose of this Information Security Policy is
to confirm what must be done to secure the Government of Abu Dhabi’s information
assets. In this respect, the Policy is supported by the Abu Dhabi Information Security
Standards.

Secondly, the Information Security Policy assigns ownership and accountability

for meeting these Information Security requirements by delineating specific
organisations that have a key role to play in meeting the government’s Information
Security objectives. Fulfilling both of these objectives will enable Abu Dhabi to
implement a robust Government-wide Information Security capability.

This Information Security Policy is supported by a series of accompanying publications

including the Abu Dhabi Information Security Standards, along with associated
guides, templates and checklists.

1.2 Scope
This Information Security Policy is informed by a holistic view of Information Security,
not solely focusing Information Technology security. Therefore, the document
addresses the security of information within Information Technology systems and
also information that resides outside of Information Technology systems – forming
an overarching information system. To comprehensively address the various
security risks, this policy defines requirements for ensuring that critical Government
information is secure, regardless of the medium in which the information resides.

These Information Security requirements are structured in twelve (12) control

groupings, herein referred to as Information Security Domains. These are as shown
below.

Security Domain Name

• Information Security Governance
• Information Security Risk Management
• Human Resource Security

8 Information Security Policy

 Introduction

• Third Party Supplier Security

• Information Security Training, Awareness and Communication
• Information Asset Management
• Physical and Environmental Security
• Information Systems Design, Development & Testing
• Identity & Access Management
• Information Systems Operations Management
• Information Security Incident Management
• Information Systems Continuity Management

The success of the Information Security programme depends upon the collaboration
between local government entities and concerned federal government entities.
Abu Dhabi Systems & Information Centre (ADSIC) will coordinate the overarching
framework, strategy, and standards-setting, and will support to execute the
necessary government-wide controls needed to assist Entities in implementing
their Information Security programmes. Ultimately, Entities are responsible for
implementing the appropriate risk-based security controls to protect the information
under their respective cognizance.

Information Security Governance and Risk Management are the foundation of the
Information Security Programme. These disciplines require that entities protect
Government information assets in a manner commensurate with:

1. Compliance obligations
2. Specific risks that apply to the information assets
3. Business requirements for service or system

The magnitude of harm that could result from the loss, misuse, unauthorised access
to, or modification of such information should inform management decision making.

All Government information requires some level of protection, however, certain

information, because of its sensitivity, requires special management oversight.
The determination of appropriate security controls and applicability of this special
management oversight is determined through the classification of information and
the three criteria types defined above.

9
1.3 Compliance and Enforcement
Compliance with this Information Security Policy is mandatory. All Abu Dhabi
Government Entities must comply with the roles, responsibilities, and security
policies statements set forth in this document to ensure the confidentiality, integrity,
and availability of Government information. Further, Abu Dhabi Government Entities
must ensure that suppliers engaged by them adhere to the applicable obligations of
this Policy and its supporting Information Security Standards.

Abu Dhabi Government Information Systems that fail to comply with this policy may
not be allowed to process Government information or connect to other Government
systems.

Enforcement and monitoring of this policy is the responsibility of each Entity’s

Information Security Governance Committee and Chief Information Security Officer.

1.4 Authorities
This Information Security Policy defines mandatory requirements for protecting
information. It is issued in accordance with:

• Article 24 of U.A.E Federal Law No. 1 of 2006 concerning Electronic Transactions

& Commerce, which provides for Government to specify appropriate control
processes and procedures to ensure the confidentiality, integrity, and availability
of electronic records, payments and fees.

• Federal Law No. 5 of 2012 on combating cyber crimes, which establishes the
definition of cyber crimes and associated penalties.

• Abu Dhabi Government Policy Agenda 2030.

10 Information Security Policy

Introduction

11
 CHAPTER 2
Information Security Domains
It is the intention of the Abu Dhabi Government to protect its information assets
in a manner appropriate to the value of those information assets and the potential
harm that could be caused as a consequence of loss, misuse, unauthorised access
to, or unauthorised modification of, these assets. The Abu Dhabi Government has
put in place this Information Security Policy as a mechanism to provide direction
regarding the protection and stewardship of its information assets. Usage, storage,
transmission and management of those information assets must be undertaken in a
manner conformant with this Policy.

To provide assurance that appropriate confidentiality, integrity, and availability

provisions exist for government information assets and to ensure the effectiveness
of information security programmes in the government entities, this Information
Security Policy was organised into twelve Information Security domains as follows:

14 Information Security Policy

 Information Security Domains

2.1 Information Security Governance

Abu Dhabi Government Entities shall implement Information Security governance
provisions to provide direction and oversight to their Information Security
programmes. These programmes will be aligned to the requirements of this Policy
and the Abu Dhabi Information Security Standards. These requirements include:

1. Entities shall set and review measurable objectives for their Information
Security programmes and make sufficient budgetary provisions to achieve those
objectives. Programme objectives should have a primary focus upon addressing
areas of most significant risk, achieving compliance obligations and address
business needs in a secure manner.

2. Entities shall ensure that suitable resourcing is provided for the organisation’s
Information Security programme to be transacted. Entities shall appoint a Chief
Information Security Officer (CISO) to undertake day-to-day management of
the Information Security programme, supported as necessary by additional
security-related roles.

3. Entities shall constitute an Information Security Governance Committee (ISGC)

to provide executive-level oversight for the Entity’s Information Security
Programme.

2.2 Information Security Risk Management

Abu Dhabi Government Entities shall apply the Abu Dhabi Information Security Risk
Management process in identifying, analysing, responding to and monitoring the
most significant Information Security-related risks that the Entity faces. Entities
shall be responsible for applying appropriate responses to the most significant risks
having a bearing upon their Information Security posture. The responses should be
aligned to the Control Standards found within the Abu Dhabi Information Security
Standards.

15
2.3 Human Resources Security
Abu Dhabi Government Entities shall implement work design and working practices
that provide for personnel with secure access to government information assets.
Entities shall make provision for an appropriate segregation of duties, as determined
by risk assessment.

Before access is granted to Abu Dhabi Government information assets, Entities shall
ensure that personnel have been screened by appropriate authorities. Entities shall
ensure that personnel have the required information, training, skills, awareness and
competencies to process Government information in a manner appropriate to the
information’s classification.

2.4 Third Party Supplier Security

Abu Dhabi Government Entities shall engage and manage third-party suppliers in a
manner supportive of the goals and initiatives of the entity’s Information Security
programme. Third party suppliers with involvement in the creation, usage, storage,
transmission or destruction of Abu Dhabi government data should ensure that
they understand the Information Security obligations imposed upon them by the
engaging Abu Dhabi Government Entity and by the Abu Dhabi Information Security
Programme.

2.5 Information Security Training, Awareness

and Communication
Abu Dhabi Government Entities shall provide the users of their information assets
with training and awareness appropriate to the roles undertaken by those users.
Entities shall ensure that the benefits and obligations of their Information Security
programmes are actively promoted, with the view to building awareness of, and
engagement with, the entity’s Information Security objectives.

16 Information Security Policy

 Information Security Domains

2.6 Information Asset Management

Abu Dhabi Government Entities shall identify and manage their information assets
(including information systems). Records shall be kept regarding the purpose,
location, ownership and usage of those information assets. Information assets shall
be classified in accordance with the Abu Dhabi Information Classification framework.
Information assets (both physical and logical) should have appropriate labelling
applied to clearly communicate their information classification.

2.7 Physical and Environmental Security

Abu Dhabi Government Entities shall provide protection to facilities used in the
creation and management of information assets. The protections deployed shall:

1. Ensure critical or sensitive information processing facilities are physically

protected from unauthorised access, damage, and interference; and

2. Equipment will be protected from physical and environmental threats.

2.8 Information Systems Design, Development

and Testing
Abu Dhabi Government Entities shall ensure that information systems and
Information Security controls are designed, developed, implemented and tested in
a manner aligned to achieving defined, specific Information Security requirements.
The entity’s employees, contractors and third party organisations with access to
sensitive information or systems shall adhere to this process in order to ensure:

1. Business requirements of new systems or enhancements specify security control

requirements;

2. Systems and associated controls are designed, developed, implemented and

tested against those requirements.

17
2.9 Identity and Access Management
Abu Dhabi Government Entities shall ensure that access to information systems and
information assets in other forms is controlled. Users of information systems and
information processing facilities shall be appropriately authenticated, with access
and privileges granted on the basis of a verified business need. Entities shall be
responsible for monitoring access for appropriate usage and revoking access when
no longer required, or when deemed no longer appropriate. Users of information
systems and information processing facilities shall be informed as to their obligations
and responsibilities for Information Security.

2.10 Information Systems Operations Management

Abu Dhabi Government Entities shall ensure that:

1. Processes, technologies and facilities are in place to support the management of

information systems while in production.

2. Information systems shall be monitored, against an agreed Information Security

baseline, for performance and compliance with the Entity’s Information Security
Policy.

3. Key information relating to information system activities shall be logged for

future use.

4. Information systems shall be subject to regular data back-up and media shall be
handled securely.

18 Information Security Policy

 Information Security Domains

2.11 Information Security Incident Management

Abu Dhabi Government Entities shall ensure Information Security-related incidents
are identified, contained, managed and recovered from in a timely and effective
manner. Entities shall ensure that potential incidents are anticipated and planning
is undertaken to ensure an appropriate incident response can be mobilised when
required. Significant incidents should be reported to ADSIC for appropriate support
to be rendered to the Entity and to facilitate cross-governmental information
sharing.

2.12 Information Systems Continuity Management

Abu Dhabi Government Entities shall ensure that information systems and
information processing facilities remain accessible for authorised use based on
the business requirement. Entities shall develop resource and test an Information
Systems Continuity Management Plan. For each information system a Recovery
Point Objective (RPO) and Recovery Time Objective (RPO) shall be defined.
Continuity planning shall seek to ensure that the agreed RPO and RTO targets
can consistently be met, under a range of potential operational and exceptional
circumstances. The Information System Continuity Management should be aligned
with Business Continuity Management for the entity, where the latter exists.

19
 CHAPTER 3
Roles & Responsibilities
This policy was developed in coordination with a number of Abu Dhabi Governments
Entities and in coordination with strategic partners i.e. local and federal UAE
Government entities, is required.

To ensure the objectives of this policy is met and to achieve increased efficiency
and effectiveness in implementation of Information Security, General Secretariat
Executive Council (GSEC), Abu Dhabi Systems and Information Centre (ADSIC),
Abu Dhabi Information Security Working Group (AD-ISWG) and all Abu Dhabi
Government Entities (ADGE) will have defined roles and responsibilities to
implement this policy.

22 Information Security Policy

 Roles & Responsibilities

3.1 The General Secretariat of Abu Dhabi

Executive Council
The Executive Council shall provide strategic leadership and sponsorship for
Information Security across the Government of Abu Dhabi. The Executive Council
provides authority to the Abu Dhabi Systems and Information Centre (ADSIC)
to manage the Government’s Information Security framework. It requires all
Government Entities to adhere to this Policy and the Abu Dhabi Information Security
Standards.

3.2 Abu Dhabi Systems & Information Centre (ADSIC)

The Abu Dhabi Systems and Information Centre (ADSIC) shall provide leadership
and strategic direction for the Information Security Programme. It shall develop
the necessary policy, standards, and guidance to ensure Information Security is
effectively implemented and maintained across Abu Dhabi.

ADSIC shall be responsible for leading the Government-wide Abu Dhabi Information
Security Programme. These responsibilities shall include, but not be limited to:

• Development of a pan-governmental Information Security implementation

strategy.

• Development, publication, maintenance and revision of:

- Abu Dhabi Government Information Security Policy (this document)
- Abu Dhabi Government Information Security Standards
- Supporting implementation guides

• Strategic coordination of the Information Security programme will be undertaken

by ADSIC. It will involve Abu Dhabi Government Entities, strategic partners and
other stakeholders in order to achieve the programme’s objectives.

• Facilitating the activities of the Information Security Working Group.

• Designing and delivering Information Security-related training and awareness to

Abu Dhabi Government Entities.

23
• Developing and submitting a regular report to the Executive Council – General
Secretariat regarding the progress and strategic direction of the Information
Security Programme. Furthermore, aggregation, consolidation and review of
Information Security status reports from Abu Dhabi Government Entities.

• Communicating and escalating, as necessary, serious Information Security issues

and concerns to the relevant entities.

• Undertaking assessments of Abu Dhabi Government Entities’ Information

Security Programmes and the associated managerial controls.

• Undertaking assessment of Abu Dhabi Government Entities technical and

information system-specific controls.

• Establishing and managing a Security Operations Centre (SOC) to monitor

government systems and respond to incidents and events with possible direct,
indirect or consequential impact on Abu Dhabi information assets.

3.3 Abu Dhabi Information Security

Working Group (AD-ISWG)
An information sharing body led by the Abu Dhabi Systems and Information Centre
and composed of Chief Information Security Officers of Abu Dhabi Government
Entities. The Working Group members shall be responsible for:

• Providing real-world feedback on implementation challenges and opportunities

arising within Entities’ Information Security programmes.

• Receiving programme status updates from ADSIC and cascading key points
within their own organisations.

24 Information Security Policy

 Roles & Responsibilities

• Reviewing draft Information Security documents, ahead of their publication.

• Sharing best practice concepts with peers in other government Entities.

The AD-ISWG will be a consultative and information exchange body. It will not be a
decision-making body.

3.4 Abu Dhabi Government Entities (ADGEs)

All Abu Dhabi Government Entities shall have the primary responsibility for ensuring
that an Information Security programme is implemented and effective within
their own organisations. They have explicit responsibility to protect government
information assets within their custody.

Abu Dhabi Government Entities shall:

• Appoint a Chief Information Security Officer (CISO) and a supporting Information

Security organisation (as necessary, based on the organisation’s size, complexity,
service portfolio and risk profile).

• Constitute a regularly meeting Information Security Governance Committee to

provide executive-level oversight of the Entity’s Information Security programme
and the work of the CISO.

• Publish, and verify conformance with, an entity-level Information Security Policy.

• Undertake a categorisation of the entity’s information assets (including

information systems) based on criticality and importance of those assets to the
entity and to the government at large.

• Develop and resource an Information Security Programme Plan, which shall be

subsidiary to the entity’s Strategic Plan.

25
 Roles & Responsibilities

• Implement a set of common controls in support of the Information Security

Programme Plan.

• Implement a set of tailored controls, as necessary, for individual information

systems.

• Develop and maintain a register for tracking and managing the most significant
Information Security risks.

• Train information users and information system administrators in their

Information Security responsibilities.

• Communicate relevant information about threat, vulnerabilities and programme

status to relevant stakeholders.

• Support ADSIC in the process of testing and evaluation of the entity information
security programme status and provide ADSIC with the requested inputs to
achieve the objective of testing and evaluation.

• Regularly report status to ADSIC, against the Information Security Programme

Plan’s milestones and other key metrics.

• Build the required capabilities to monitor the information systems and manage
Information Security incidents in the entity.

26 Information Security Policy