Information Security Policy

1. Purpose

The purpose of this Information Security Policy is to ensure the protection of DAPL’s information assets, including data, systems, and networks, from threats such as unauthorized access, data breaches, and cyberattacks. This policy outlines the standards and procedures for safeguarding the confidentiality, integrity, and availability of information.

2. Scope

This policy applies to all employees, contractors, consultants, temporary staff, and other workers at DAPL, including all personnel affiliated with third parties. It covers all information assets owned, leased, or otherwise under the control of DAPL.

3. Information Security Principles

3.1 Confidentiality: Information must be accessible only to those authorized to have access.

3.2 Integrity: Information must be accurate and complete, and its authenticity must be safeguarded.

3.3 Availability: Information must be accessible and usable upon demand by an authorized entity.

4. Roles and Responsibilities

4.1 Information Security Officer (ISO): Responsible for the development, implementation, and maintenance of the Information Security Policy and related procedures.

4.2 IT Department: Responsible for implementing and maintaining technical controls and measures to protect information assets.

4.3 Employees: Responsible for adhering to the Information Security Policy and reporting any security incidents or vulnerabilities.

4.4 Third Parties: Must comply with DAPL’s information security standards when accessing or handling DAPL’s information.

5. Information Classification

5.1 Public: Information that can be freely disseminated.

5.2 Internal: Information intended for internal use only.

5.3 Confidential: Information that requires protection from unauthorized access or disclosure.

5.4 Restricted: Highly sensitive information that requires stringent protection measures.

6. Access Control

6.1 User Authentication: Access to information systems must be restricted to authorized users through strong authentication mechanisms.

6.2 Role-Based Access Control (RBAC): Access to information must be granted based on the user’s role and responsibilities within the organization.

6.3 Least Privilege Principle: Users should have the minimum level of access necessary to perform their job functions.

7. Data Protection

7.1 Data Encryption: Sensitive data must be encrypted both in transit and at rest.

7.2 Data Backup: Regular backups must be performed to ensure data can be restored in case of loss or corruption.

7.3 Data Retention: Data must be retained only as long as necessary to fulfill its purpose and comply with legal requirements.

8. Network Security

8.1 Firewall Protection: Firewalls must be used to protect the network from unauthorized access and cyber threats.

8.2 Intrusion Detection and Prevention Systems (IDPS): IDPS must be deployed to detect and prevent security breaches.

8.3 Secure Remote Access: Remote access to the network must be secured through VPNs and multi-factor authentication.

9. Physical Security

9.1 Access Control: Physical access to information systems and data centers must be restricted to authorized personnel.

9.2 Surveillance: Data centers and critical infrastructure must be monitored using surveillance systems.

9.3 Environmental Controls: Data centers must be equipped with environmental controls to protect against fire, flooding, and other hazards.

10. Incident Management

10.1 Incident Reporting: All security incidents must be reported immediately to the Information Security Officer.

10.2 Incident Response: An incident response plan must be in place to address and mitigate the impact of security incidents.

10.3 Post-Incident Review: A post-incident review must be conducted to identify the cause of the incident and implement measures to prevent recurrence.

11. Compliance and Audit

11.1 Regulatory Compliance: DAPL must comply with all relevant laws, regulations, and standards related to information security.

11.2 Internal Audits: Regular internal audits must be conducted to ensure compliance with the Information Security Policy.

11.3 Third-Party Audits: External audits may be conducted to validate the effectiveness of the information security program.

12. Training and Awareness

12.1 Employee Training: All employees must receive regular training on information security best practices and policies.

12.2 Awareness Programs: Information security awareness programs must be conducted to keep employees informed about current threats and security measures.

13. Policy Review

13.1 Regular Review: This policy must be reviewed and updated regularly to ensure its continued relevance and effectiveness.

13.2 Amendments: Any amendments to this policy must be approved by senior management.

14. Enforcement

14.1 Compliance: All employees and third parties must comply with this Information Security Policy.

14.2 Disciplinary Action: Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contract.