Chapter 1. General provisions
Chapter 2. Goals and objectives
4. The purpose of this Policy is to define a unified approach in ensuring information security in JSC “NPC”, aimed at organizing the protection of information regardless of the form and place of its processing and storage, means of its
5. The main tasks to fulfill the goal of the Policy are as follows:
1) ensuring the integrity, availability of information assets and protection of confidential information of JSC “NPC” and third parties related to the activities of JSC “NPC”;
2) identification, prevention and neutralization of actual and potential threats to the IS, as well as establishing the causes and conditions of their occurrence;
3) minimization and localization of consequences in case of information security threats, assessment and comprehensive analysis of incidents for further prevention;
4) analysis of compliance with the legal aspects of information security activities and continuous updating of the requirements of internal regulatory documents;
5) improving the corporate culture of employees and their awareness in the field of ensuring information security;
6) control of efficiency and sufficiency of applied information protection measures and means of its processing.
6. The main areas of implementation of the Policy and compliance with information security requirements at JSC “NPC” are carried out due to:
– implementation of organizational and technical protection measures;
– fulfillment of legislative and regulatory requirements, as well as applicable requirements of state and international standards in the field of information security assurance;
– developing and complying with internal regulations governing various aspects of information security, including, but not limited to, access authorization, handling protected resources, passwords, handling information and its media, software and its updates, backups, access to internal and external network resources, working with security analysis systems, attack detection and prevention, antivirus protection, source code analysis process, fire protection, use of other means of protection and ensuring information security.
Chapter 3. Basic provisions of the Information Security Management System
7. To achieve the goal of this Policy, JSC “NPC” shall improve the ISMS.
8. The functioning of the ISMS shall be carried out in accordance with the following basic principles:
1) legality – any actions taken to ensure information security are carried out on the basis of applicable laws, using all methods of detection, prevention, localization and suppression of negative impacts on the objects of protection of JSC “NPC” permitted by the legislation;
2) comprehensiveness – ensuring the security of information resources throughout their entire life cycle, at all technological stages of their use and in all modes of operation;
3) personal responsibility – managers at all levels and executives must be aware of all information security requirements and bear personal responsibility for the fulfillment of these requirements and compliance with the established information security measures;
4) interaction and coordination – information security measures are implemented on the basis of interconnection of the relevant structural divisions of JSC “NPC”, coordination of their efforts to achieve the set goals, as well as establishment of necessary links with external organizations, professional associations and communities, and government agencies.
9. At JSC “NPC”, the choice of technical means and organizational measures for the protection of information assets to minimize possible losses is based on the identification and assessment of information security risks.
10. The scope of the ISMS applies to all independent structural units of JSC “NPC”, as well as to organizations and institutions interacting with JSC “NPC” as suppliers and (or) consumers of JSC “NPC” information resources.
11. JSC “NPC” employees responsible for the organization and implementation of measures to ensure information security and information processing and storage processes regularly undergo appropriate information security training.
Chapter 4. Responsibility and Control
12. The Chairman of the Board of JSC “NPC” assumes responsibility for the implementation of this Policy, exercises control over the fulfillment of the goals and main provisions of this Policy, including the provision of necessary conditions and resources to achieve the goals of this Policy, as well as assumes obligations to continuously improve and fulfill the applicable requirements of the ISMS.
13. Management of information security in day-to-day operations is assigned to the head of the security division, who is personally responsible for the implementation of this Policy.
14. The Security Department is responsible for the goals and objectives set by the management of JSC “NPC”, as well as for controlling the fulfillment of the requirements reflected in the ISMS documents. All exceptions to these requirements are mandatorily agreed with the responsible structural unit.
15. Heads of structural subdivisions and employees of JSC “NPC” are responsible for the unconditional full fulfillment of their duties to maintain activities to ensure and fulfill IS requirements in accordance with ISMS documents, and representatives of third parties having access to information resources and confidential information of JSC “NPC” – in accordance with contractual obligations.
16. All employees of JSC “NPC” are personally liable for violation and/or non-compliance with the requirements and measures for the protection of information and means of its processing established in the internal documents of JSC “NPC”, and are obliged to report all detected violations and incidents to the unit responsible for ensuring security.
17. Internal documents of JSC “NPC”, including job descriptions of all employees must contain requirements for ensuring and observing information security.
Chapter 5. Final Provisions
18. The Policy is subject to annual review, and in case of significant changes in the activities of JSC “NPC”, as well as requirements of the legislation of the Republic of Kazakhstan or regulatory bodies affecting the ISMS, immediately.
19. The Information Security Division communicates this Policy to JSC “NPC” all employees.