Information security management
Information security implies preserving confidentiality, integrity and availability of information. An adequate level of information security is achieved by establishing controls, which should be constantly monitored and, when necessary, improved to ensure the continuous fulfilment of business and security objectives. Therefore, information security is not a one-time activity but should be seen as an ongoing process.
The CBCG’s information security management system is aligned with the international information security standards of the ISO/IEC 27000 series. It ensures compatibility with Montenegro’s legal regulations and the EU’s information security concept.
The information security management system based on the efficient management of controls designed and established to treat risks provides confidence in the CBCG’s information security.
The CBCG’s Information Security Policy is implemented through compliance with the following principles:
- Ensuring information confidentiality, integrity and availability: information must be protected from unauthorised access and all threats, external or internal, intentional or accidental;
- Fully defined information security functions and responsibilities;
- Management of information security risks using appropriate controls and countermeasures to achieve an acceptable risk level for an acceptable price;
- Defining the ownership of information values, which must be listed and classified in terms of their value, secrecy and criticality degree;
- Information security’s inclusion in the human resources management process during employment, work engagement and when terminating employment;
- Physical protection of information and information processing devices, including defining safe zones with appropriate protection systems and access control; the protection level should correspond to the identified risks;
- Controlling and supervising f access to information to ensure exclusively authorised access;
- Identifying risks to CBCG information and implementing controls before granting access to information when business processes involve third parties;
- Complying with information security regulations;
- Ensuring the correct and safe information system functioning, including the definition of responsibilities and documenting appropriate operating procedures, which must be regularly maintained and available to employees who need them;
- Including security requirements when introducing new technical components or information systems into use;
- Establishing an adequate system for incident management to enable smooth business continuity if a security incident occurs;
- Developing, maintaining and testing plans for ensuring business continuity and disaster recovery to ensure the business continuity in all conditions;
- Regular information security training available to all employees;
- Establishing an effective process for monitoring the Policy’s implementation;
- Regular Policy updating following business needs and changes in practice, standards and legislation;
- Obliging employees and third parties to respect the Information Security Policy, rules and procedures.