Skip links
Linkedin Whatsapp Envelope
Linkedin Whatsapp
Linkedin Whatsapp Envelope Phone-alt

Guiding Document for Information Security and Data Governance Policy Implementation

Information Security & Data Privacy Operational Guidelines

Document NumberJV-ISMS-GD-01Version1.0 
StatusActive / OperationalEffective DateJan 15, 2026
Referenced PolicyInformation Security and Data Governance Policy (JV-ISMS-POL-01)

1. Purpose & Utility

This document serves as the operational bridge between the high-level Information Security Policy and the detailed Standard Operating Procedures (SOPs) as developed and matures time to time. This document defines the specific technical standards, protocols, and immediate actions required to rollout the JointValues’ actions related to the subject matter.

Applicability: This guidance is mandatory for all employees, Domain Specialists, and IT administrators until the full ISO 27001:2022 ISMS framework is formally certified.

2. Information Security Objectives

To operationalize our policy commitments, we focus on three key objectives:

  • Risk Minimization: Systematically identifying and mitigating vulnerabilities through periodic risk assessments (quarterly internal scans and annual external audits).
  • Regulatory Compliance: Adhering to all applicable national and international data protection standards, including specific banking/financial-domain security guidelines required by our assurance clients.
  • Operational Resilience: Maintaining robust business continuity protocols to ensure service availability during disruptions (target Recovery Time Objective < 24 hours for critical client data).

3. Operational Control Measures

A. Cryptography & Data Protection

  • Encryption in Transit: JointValues ensures and enforces Encryption in Transit using industry-standard TLS 1.2 and 1.3 protocols for all data exchanges. All web-based data transfers are conducted over HTTPS-secured channels, ensuring that sensitive client information is protected via a secure cryptographic tunnel during transmission.
  • Encryption at Rest: JointValues mandates the use of AES-256 bit encryption for all confidential data stored on corporate laptops, servers, and cloud repositories. Full Disk Encryption (FDE) tools—specifically BitLocker for Windows and FileVault for macOS—must be active and verified on all endpoint devices.
  • Key Management: JointValues segregates encryption keys from the data they protect. Access to cryptographic keys is restricted to authorized administrators, and keys are rotated annually or upon the departure of a key custodian.

B. Access Control & Identity Management

  • Multi-Factor Authentication (MFA): JointValues enforces mandatory MFA for 100% of user accounts accessing critical systems, including email (Google Workspace), cloud storage, and ERP systems. No exceptions are granted for executive or administrative accounts.
  • Role-Based Access Control (RBAC): JointValues restricts access to data directories based strictly on the “Need-to-Know” principle. Domain Specialists are granted access only to the specific project folders relevant to their active contracts, with access rights automatically revoked upon project completion.
  • User Access Reviews: JointValues conducts quarterly reviews of all user access rights. Any dormant accounts (inactive for >30 days) are automatically disabled, and access privileges for transferred or terminated employees are revoked within 24 hours.

C. Network & Operations Security

  • Secure Remote Access: JointValues prohibits direct public access to internal resources. All remote connections to the corporate network are tunneled exclusively through a Virtual Private Network (VPN) utilizing IPsec or SSL protocols with strict authentication.
  • Endpoint Hardening: JointValues deploys centrally managed Endpoint Detection and Response (EDR) agents on all company-owned devices. These agents are configured to block unauthorized software installation and automatically quarantine suspicious files.
  • Patch Management: JointValues executes critical security patches for operating systems and applications within seven (7) days of release. Automated patch management tools are utilized to verify compliance across the entire fleet.

D. Asset Management & Disposal

  • Asset Inventory: JointValues maintains a real-time inventory of all information assets, tagging each hardware device with a unique identifier and assigning it to a specific owner who is responsible for its physical security.
  • Secure Disposal: JointValues follows the NIST SP 800-88 Guidelines for Media Sanitization. Before any storage media is retired, recycled, or reassigned, data is permanently destroyed using cryptographic erasure or physical destruction methods to ensure irretrievability.

E. Vendor & Third-Party Security

  • Supplier Risk Assessment: JointValues evaluates all critical vendors (including Cloud Service Providers and SaaS tools) for security compliance (SOC 2 or ISO 27001) prior to onboarding.
  • Contractual Enforcement: JointValues embeds strict data protection clauses in all contracts with Domain Specialists. These clauses explicitly mandate the return or destruction of all JointValues data upon contract termination, subject to audit.

4. Monitoring & Incident Response

  • Audit Logging: JointValues captures and retains immutable logs of all administrative activities, login attempts (successful and failed), and access to sensitive data files for a minimum period of 180 days.
  • Incident Reporting: JointValues requires all employees and contractors to report any suspected security breach or “near miss” to the IT Security Team immediately. The team is obligated to assess the severity and notify relevant stakeholders (including Data Principals and the Data Protection Board, if applicable) within the statutory timelines.

5. Technical Implementation & Configuration Standards

To achieve the security objectives defined above, implementation is divided into two levels: Level 1 (Baseline Configuration), which leverages existing secure configuration capabilities, and Level 2 (Strategic Enhancements), which involves the progressive adoption of advanced infrastructure to address emerging risks.

Level 1: Configuration & Policy Actions (Baseline Security Posture)

JointValues adopts the following standard configuration baselines and optimal best practices across its Operating Systems and Cloud Workspaces.

A. Encryption at Rest (Device Settings)

  • Windows Devices (BitLocker):
    • Adopted Standard: Enable BitLocker on all Windows Pro/Enterprise laptops.
    • Configuration Baseline: Enforce encryption method to XTS-AES 256-bit via Group Policy Editor (gpedit.msc > Computer Configuration > Admin Templates > Windows Components > BitLocker > Drive Encryption Method).
  • macOS Devices (FileVault):
    • Adopted Standard: Enable “FileVault” in System Settings > Privacy & Security.
    • Configuration Baseline: Ensure the recovery key is securely vaulted in the corporate cloud account rather than stored on the local disk.

B. Encryption in Transit (Protocol Settings)

  • Cloud Sharing (Google/OneDrive):
    • Adopted Standard: Disable “Anyone with the link” permissions in the Administrative Console to prevent public exposure.
    • Configuration Baseline: Enforce mandatory expiration dates (e.g., 7 days) and password protection for all external file shares.
  • Manual Encryption (Process):
    • Adopted Standard: Utilize 7-Zip (Open Source) to encrypt sensitive files prior to email transmission.
    • Configuration Baseline: Select “AES-256” as the encryption method when creating the archive.

C. Access Control (Identity Settings)

  • Multi-Factor Authentication (MFA):
    • Adopted Standard: Enforce “2-Step Verification” in Google Workspace/Microsoft 365 Admin Console for all users without exception.
  • Screen Lock:
    • Adopted Standard: Configure “Interactive logon: Machine inactivity limit” to 300 seconds (5 minutes) or less via Group Policy to prevent unauthorized physical access.

Level 2: Enterprise Infrastructure (Strategic Enhancements)

JointValues commits to the continual upgrading of system infrastructure to address emerging risks and leverage advanced security technologies.

A. Advanced Network Security

  • Corporate VPN (Virtual Private Network):
    • Strategy: Subscription to business-grade VPN services (e.g., NordLayer, Perimeter 81, or Cisco AnyConnect).
    • Objective: To encrypt internet traffic when consultants operate from public Wi-Fi (airports, cafes) or client sites with unverified networks.

B. Endpoint Management & Protection

  • MDM (Mobile Device Management):
    • Strategy: Deployment of MDM licenses (e.g., Microsoft Intune, Jamf, or Kandji).
    • Objective: To remotely sanitize data from lost laptops, enforce encryption updates, and block unauthorized USB drives without requiring physical access to the device.
  • EDR (Endpoint Detection & Response):
    • Strategy: Transition from standard antivirus to advanced EDR solutions (e.g., CrowdStrike, SentinelOne).
    • Objective: To detect and neutralize sophisticated ransomware attacks using Behavioral Analysis rather than simple signature-based detection.

C. Hardware Upgrades

  • OS Edition Standardization:
    • Strategy: Standardization of all laptops to “Windows Pro” or higher.
    • Objective: To ensure all endpoints support essential enterprise security features such as BitLocker encryption and Centralized Management, which are often absent in “Home” editions.

6. Review and Maintenance

This document shall be reviewed every two (2) years, or earlier if any material change occurs in the regulatory environment, business operations, or technical infrastructure that impacts the security posture of the organization.