Fərid Quliyev

Fərid Quliyev

Baş Direktor, İcra komitəsinin sədri




Quliyev Fərid Fuad oğlu Bakı şəhərində anadan olmuşdur. İqtisadçıdır. Peşəkar fəaliyyətə 2007-ildə maliyyə sektorunda başlayıb və 2012-ci ildən etibarən müxtəlif maliyyə təşkilatlarının İdarə  heyətlərində təmsil olunub. 
2018-ci ilin fevral ayından “Azərikard” MMC-nin Baş direktoru vəzifəsinə təyin olunmuşdur.

Zakir Əhmədov

Zakir Əhmədov

Baş direktorun müavini-Baş biznesin inkişafı və dəstək inzibatçısı, İcra komitəsinin üzvü

Ersin Ünsal

Ersin Ünsal

Baş direktorun müavini

Fərid Məmmədzadə

Fərid Məmmədzadə

Baş direktorun müavini-Baş İnformasiya İnzibatçısı, İcra komitəsinin üzvü

Struktur 1
Azərikard MMC

Azərikard MMC

AZ 1005, Nizami küçəsi 67, Bakı şəhəri, Azərbaycan

VÖEN

1400318341

"Azərbaycan Beynəlxalq Bankı" ASC

"ABB Premyer" Müştəri Xidməti

Kod

805250

Müxbir hesab

AZ03NABZ01350100000000002944

VÖEN

9900001881

SWIFT

IBAZAZ2X

INFORMATION SECURITY MANAGEMENT SYSTEM

INFORMATION SECURITY MANAGEMENT SYSTEM

Approved by “Azerikard” LLC’s Executive Committee

Minutes №:

Date:

Azerikard” LLC’s CEO

Farid Guliyev

 

_______________________________

signature

 

InformatIon SecurIty Management System - ISMS POLICY

 

Name, Surname

Position

Signature

  Date

 Creator:

 Asmar Karimzada

Leading Specialist of Information Security Governance Security Department

 

 

 

13.12.2023

 Reviewer:

 Azim Qambarli

Head of Information Security Division Security Department

 

 

 

13.12.2023

 Agreed with:

 Eldar Dursunov

Chief Information Security Officer

 

 

13.12.2023

 

                                                         

Table of Contents

1......... Purpose. 4

2......... Scope. 4

3......... Objectives. 4

3.1         Understanding the needs and Expectations of interested parties. 4

4......... Responsibilities. 5

5......... ISMS Policy. 6

5.1         Information Security Requirements. 7

5.2         Risk Management 7

5.3         Change Management 7

5.4         Human Resources. 7

5.5         Business Continuity.. 8

5.6         Improvement of ISMS.. 8

6......... Policies and Procedures. 8

7......... Exceptions. 10

8......... Performance Evaluation.. 11

9......... Policy Review.. 11

10....... Communication.. 13

11....... Confidentiality. 14

12....... Legal, statutory, regulatory and contractual requirements. 14

12.1       Legal, regulatory and contractual requirements procedure.. 14

12.2       Identify requirement. 15

12.3       Assess implications. 16

12.4       Document requirements. 16

12.5       Define approach to meeting requirements. 17

12.6       Review and update.. 17

13....... Configuration management. 17

14....... Intellectual property rights. 19

 

1.            Purpose

This ISMS Policy aims to specify the security requirements for the Organization's proper and secure usage of Information Technology services. Its purpose is to protect the Organization and its users against security threats that could threaten their integrity, privacy, reputation, and commercial outcomes to the greatest extent possible by setting up an ISMS (Information Security Management System).

 

2.            Scope

This document applies to all users in the Organization, including temporary users, visitors with limited or unlimited access to services, and partners with limited or unlimited access to services. Therefore, this document's policies must be strictly followed. The detailed scope of the ISMS including the controls will be defined in SOA (Statement of applicability).

 

3.            Objectives

The Organization will retain documented information on the information security objectives. The objectives of an ISMS policy include the following:

  • Confidentiality: Protect sensitive information from unauthorized access, disclosure, or theft.
  • Integrity: Ensure that information is accurate, reliable, and not tampered with or modified inappropriately.
  • Availability: Ensure that information is accessible to authorized users when needed and not lost or destroyed due to system failures or other events.
  • Compliance: Ensure that the Organization complies with relevant laws, regulations, and standards related to information security.
  • Risk Management: Identify and manage risks related to the Organization's information assets and take appropriate steps to mitigate those risks.
  • Continual Improvement: Continuously monitor and improve the Organization's information security posture, including its policies, procedures, and technical controls.
  • Communication: Ensure that employees, contractors, and other stakeholders are aware of their responsibilities related to information security and that they receive regular training and education on best practices.

When planning how to achieve its information security objectives, the Organization shall determine:

 

3.1          Understanding the needs and Expectations of interested parties.

The organization shall determine:

  1. Interested parties that are relevant to the information security management system.
  2. The relevant requirements of these interested parties.
  3. Which of these requirements will be addressed through the information security management system?
  • Internal issues - Understanding the external context can be facilitated by considering issues arising from legal, technological, competitive, market, cultural, social and economic environments, whether international, national, regional or local.
  • External issues - Understanding the internal context can be facilitated by considering issues related to the organization's values, culture, knowledge and performance.

 

As with internal and external issues stakeholders and their requirements and expectations were identified, Organization had also identified the needs and expectations of interested parties and identified the opportunities and threats and the degree of risk attached to each. The results of these risk assessments are contained in [Risk Register]

 

Shareholders

Expect the organization to manage information security risks effectively to protect the organization's assets, reputation, and financial performance.

Customers

Expect the organization to protect their personal and financial information from security breaches. They may also expect transparency from the organization about its security policies and procedures.

Suppliers

Expect the organization to have robust security controls in place, especially if they are sharing sensitive information. They may also expect the organization to comply with certain security standards as part of their contractual agreements.

Employees

Expect the organization to protect their personal data and provide them with a secure working environment. They may also expect training and resources to help them understand and fulfill their roles in maintaining information security.

Regulators

Expect the organization to comply with all relevant information security laws, regulations, and standards.

Community

Expect the organization to protect information that could impact the safety, health, or economic well-being of the community or the wider society.

 

Note: The details of needs and expectations described in Organization İSMS Scope document.

 

4.            Responsibilities

Roles

Responsibilities

[Chief Information Security Officer]

Responsible for the Organization's information security in all aspects.

ISMS Manager

·         Create and update Security Policy documents.

·         Ensure that security training initiatives are in place.

·         Ensure that your IT infrastructure is compliant with security policies.

·         Assistance with BCM and DRP.

Head of Information Security Division

·         Make a security threat, vulnerability, and risk plan.

·         In charge of setting IT infrastructure's security requirements.

Information Owners

·         Assist with their respective area's security standards.

·         Determine the privileges and rights of access to the resources in their territories.

L1

·         Monitors events in terms of Incident response policy

L2

·         Act in the event of a data security breach in terms of Incident response policy.

End Users

·         Comply with security policies.

·         Inform the authorities about any attempted security breaches.

IT Infrastructure administrators

·         In charge of IT Infrastructure security setup according with security requirements, policies and procedures

 

 

5.            ISMS Policy

The Policy's goal is to safeguard the Organization's information assets from any risks, whether internal or external, intentional or unintentional.

The Organization's Policy is to ensure that:

  • As the business process requires, information should be made available with minimal disturbance to staff and the general public.
  • The confidentiality of this data will be protected. Information confidentiality will be ensured, including but not limited to research, third parties, and personal and electronic communications data.
  • All legal and regulatory standards will be met.
  • Employees should get information security education, awareness, and training.
  • All actual or suspected information security breaches must be reported to and investigated by the appropriate authorities, including System Administration and Incident Response.
  • Appropriate access control will be maintained, and data will be kept safe from unwanted access. To complement the ISMS Policy, policies, procedures, and guidelines for AzeriCard LLC will be available in print and online forms through an intranet system.

 

5.1           Information Security Requirements

With the internal business a precise definition of information security requirements will be agreed upon and maintained. All ISMS work will be focused on meeting those criteria. Legislative, regulatory, and contractual agreements will also be documented and included in the planning process. As part of each project's design, specific security needs for new or altered systems or services will be captured.

The AzeriCard LLC ISMS's key idea is that controls are implemented in response to business needs, which will be conveyed to all employees via team meetings and briefing documents regularly.

 

5.2          Risk Management

The ISMS policy defines risk management as a core component of the organization's approach to information security. It outlines the objectives and principles guiding the risk management process, as well as the roles and responsibilities of individuals involved. It involves understanding potential threats, vulnerabilities, and the potential impact of incidents on the confidentiality, integrity, and availability of information. The organization establishes a framework that promotes a proactive and systematic approach to identifying, assessing, and managing risks to their information assets.

 

5.3          Change Management

The ISMS policy defines change management as a critical component of the organization's overall information security strategy and provides guidance on how changes should be managed to minimize risks to information assets. It involves assessing the potential impact of changes on information security, implementing appropriate controls, and ensuring that changes are effectively planned, tested, and documented.

 

5.4          Human Resources

Based on proper education, training, abilities, and experience, AzeriCard LLC will ensure that all personnel involved in information security are competent. The required skills will be determined and assessed regularly, as well as an assessment of current skill levels within AzeriCard LLC. Training requirements will be identified, and a strategy will be implemented to guarantee that the appropriate skills are in place. The HR department will keep track of training, education, and other necessary data to document individual skill levels.

 

5.5          Business Continuity

Business continuity, within the context of an Information Security Management System (ISMS) policy, refers to the strategies, plans, and procedures put in place to ensure the organization can continue its critical operations and minimize the impact of disruptions or incidents that may threaten the availability of its information assets. It involves proactive measures to identify potential risks, develop resilience capabilities, and establish effective response and recovery mechanisms.

AzeriCard LLC defines business continuity as a fundamental aspect of the organization's information security strategy, highlighting the commitment to maintaining the continuity of business operations, safeguarding critical assets, and minimizing the impact of incidents.

 

5.6          Improvement of ISMS

AzeriCard LLC policy about continual improvement is to:

  • Increase the level of proactivity (and stakeholder perception of proactivity) about information security, according to the AzeriCard LLC Policy on continuous improvement.
  • Make information security processes and controls more measurable so that informed decisions may be made
  • Evaluate important metrics yearly to see if they should be changed based on historical data.
  • Collect ideas for continuous improvement through regular meetings and communication with stakeholders.
  • In evaluating improvement recommendations, the following criteria must be used:

o    Cost

o    Business Benefit

o    Risk

o    Timeline for Implementation

o    Resources required

 

6.            Policies and Procedures

Here is the list of some policies and procedures that supports ISMS:

Policy

Purpose

Acceptable use policy

Establish guidelines and expectations regarding the appropriate and responsible use of an organization's information technology resources, systems, and networks.

Remote Working Policy

Establish guidelines, procedures, and controls that ensure the security and protection of information assets when using mobile devices and engaging in teleworking or remote work arrangements.

IT Asset Decommission policy

Establish guidelines, procedures, and controls for the secure and proper disposal of information assets that are no longer needed or have reached the end of their lifecycle.

Information classification policy

Establish a framework and guidelines for categorizing and labeling information assets based on their level of sensitivity, importance, and criticality to the organization.

Password policy

Establish guidelines, requirements, and best practices for the creation, use, and management of passwords within an organization's information systems.

Data recovery and backup policy

Establish guidelines, procedures, and controls for the regular and secure backup of critical information assets and the recovery of data in the event of a disruption, system failure, or data loss.

Access Control Policy

Outline the rules and principles governing the granting, management, and revocation of access privileges to individuals within the organization.

Documented Information Management Procedure

Establish a systematic approach for managing and controlling the creation, distribution, access, storage, retention, and disposal of documents and records within an organization's information security management framework.

Cryptographic Policy

Provide guidelines, procedures, and controls for the proper and secure use of cryptographic techniques and technologies within an organization

IT Asset Management Policy

Establish guidelines, procedures, and controls for effectively managing and protecting the organization's information assets throughout their lifecycle

Clean Desk Standard Policy

Establish guidelines and requirements for maintaining a clean and secure work environment by promoting the proper handling and storage of sensitive information and assets

Corrective Action Procedure

Establish a structured and systematic approach for identifying, addressing, and resolving non-conformities, incidents, and other issues related to information security within an organization

Disaster and Recovery Plan

Establish a structured and coordinated approach to mitigate the impact of disasters and facilitate the recovery of critical information systems and assets.

Information Security Policy

Outlines the organization's commitment to information security and provides guidance for the development, implementation, and maintenance of the ISMS

Information Transfer Policy

Establish guidelines, procedures, and controls for the secure and controlled transfer of information assets within and outside the organization.

Monitoring and Logging Policy

Establish guidelines, procedures, and controls for the monitoring, collection, and retention of system logs and security events within an organization.

Monitoring and Measuring Policy

Outlines the methods, frequency, and objectives of monitoring and measuring activities to ensure that information security controls are operating effectively and meeting the desired outcomes.

Network Security Design

Establish a secure and robust network infrastructure that protects the confidentiality, integrity, and availability of information assets within an organization

Patch Management and System Updates Policy

Establish guidelines, procedures, and controls for the timely and effective management of software patches and system updates within an organization's IT infrastructure.

Physical Protection Policy

Establish guidelines, procedures, and controls to safeguard physical assets, facilities, and resources that are critical to the organization's information security.

Secure System Architecture and Engineering Principles

Provide guidelines, principles, and best practices for designing, implementing, and maintaining secure and resilient information systems within an organization

 

 

7.            Exceptions

  • Only the Information Security Head or his designated Officer may grant exceptions to the policies outlined in this document. Specific procedures for handling requests and authorizations for exceptions may be implemented in some circumstances.
  • Every time a policy exception is triggered, a security log must be entered with the date and time, a description of the exception, the reason for the exception, and how the risk was managed.
  • All IT services shall be used following the technical and security criteria established during service design.
  • Policy violations may result in disciplinary action. They may even result in prosecution in some severe circumstances.

 

8.            Performance Evaluation

Bi-annual policy audits and reviews will be done, with any required adjustments made. In addition, security systems will be subjected to an independent examination.

Here are some methods used to measure the effectiveness of the ISMS

  • Key Performance Indicators (KPIs)
    • Policy compliance: The percentage of employees who have read and acknowledged the ISMS Policy.
    • Policy review frequency: Number of times the Policy is reviewed and updated
    • Policy exceptions: The number of exceptions to the ISMS Policy granted.
    • Policy completeness: The extent to which the ISMS Policy covers all relevant areas of the Organization's information security.
    • Policy effectiveness: The degree to which the ISMS Policy effectively achieves its intended goals. The measure includes tracking security incidents, vulnerabilities, and other security metrics to determine if the Policy reduces the Organization's overall risk exposure.
  • Internal Audits: The auditor should review the ISMS to ensure that it complies with relevant standards, policies, and procedures. The auditor should also identify any gaps or areas for improvement. During an internal audit of an ISMS policy, the auditor will review the Policy to ensure that it is up-to-date, accurate, and relevant. The auditor will also evaluate the implementation of the Policy to determine if it is being followed correctly and if any improvements can be made.

The internal audit process typically involves the following steps:

  • Planning and preparation: The auditor will identify the audit scope, determine the audit objectives, and develop an audit plan.
  • Fieldwork: The auditor will conduct interviews with key stakeholders, review documentation and records, and assess the effectiveness of controls.
  • Reporting: The auditor will prepare a report of their findings and recommendations for improvement.
  • Follow-up: The Organization will review and respond to the audit report and implement necessary corrective actions.
  • Management Reviews: Regular management reviews will help ensure that the ISMS is aligned with the Organization's objectives and is operating effectively. The management team should review the performance of the ISMS and identify any areas for improvement. The review should include an analysis of the KPIs and the results of the internal audits. The management team should then develop an action plan to address any issues identified during the review.

 

9.            Policy Review

The Organization implements the following steps in reviewing ISMS Policy:

  • Establish the review schedule: The Organization determines the frequency of the policy review process. It is recommended to review policies annually or whenever there is a significant change in the Organization's environment.
  • Identify the policies to be reviewed: The policies that require review and updating will be identified. This may include policies related to access control, data classification, incident management, and others.
  • Review the Policy: The Policy will be reviewed to ensure that it is accurate, complete, and current. In addition, the review should consider any changes in the Organization's objectives, risk management strategy, or regulatory requirements.
  • Update the Policy: The Policy will be updated to reflect any necessary changes. The revised policies are then communicated to all relevant stakeholders.
  • Approve the policies: The revised policies should be approved by the appropriate personnel, such as senior management or the information security steering committee.
  • Implement the Policy: After the policies have been approved, they should be implemented and communicated to all relevant stakeholders. This involves training or awareness programs to ensure employees understand and comply with the policies.
  • Monitor the policies: Periodic audits or assessments will be conducted to evaluate the effectiveness of the Policy.

10.          Communication

Subject

Frequency

Whom to communicate

Who shall communicate

Risk involved

Mode of communication

Introduction to ISMS Policy

At least once per year by default and after significant changes of ISMS

All Employees

ISMS Manager

Lack of awareness and understanding of policies

Virtual

Email

IT Security Risk

At least once per year by default and after significant changes of ISMS

All Employees

RISK Manager

Unable to identify Risk

Virtual

Email

ISMS Training Sessions

At least once per year by default and after significant changes of ISMS

All Employees

HR and ISMS Manager

Inadequate knowledge of ISMS procedures

Virtual

Email

Incident Response Procedures

At least once per year by default and after significant changes of ISMS

All Employees

IT Department and ISMS

Improper response to security incidents

Virtual

Email

Policy Updates and Amendments

At least once per year by default and after significant changes of ISMS

All Employees

ISMS Manager, IMS Representative

Failure to adhere to updated policies

Virtual

Email

Periodic Security Awareness

At least once per year by default and after significant changes of ISMS

All Employees

HR and ISMS Manager

Increased vulnerability to social engineering

Virtual

Email

Annual Policy Review

At least once per year by default and after significant changes of ISMS

Management

ISMS Manager

Outdated or ineffective policies

Virtual

Email

Audit and Certification Updates

At least once per year by default and after significant changes of ISMS

All Employees

Certification Body, Authorities

Non-compliance with ISO 27001  and PCI DSS standards

Audit report Distribution

             

11.          Confidentiality

 

All rights are reserved in this document, which is copyrighted. Without the previous written consent of an authorized representative of AzeriCard LLC, this document may not be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form, in whole or in part. This document is for internal use only and may be given to anybody outside the firm, including customers, clients, or prospects, after receiving consent from an authorized representative of AzeriCard LLC in whole or in part.

 

12.          Legal, statutory, regulatory and contractual requirements

12.1       Legal, regulatory and contractual requirements procedure

The procedure for identifying, documenting and maintaining legal, regulatory and contractual requirements is summarised in the diagram below. Each step is expanded upon in the following sections.

 

 

Start

 

Identify requirements

 

Assess implications

 

Define approach to meeting requirements

 

Review and Update

Document requirements

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Figure 1 Legal, regulatory, and contractual requirements procedure

 

12.2       Identify requirement.

AzeriCard LLC relies upon the following internal teams and external bodies to identify legal, regulatory and contractual requirements that are relevant to its information security:

 

TEAM/ORGANIZATION

AREAS COVERED

COMMUNICATION METHOD

Legal department

Laws relevant to information security, including privacy and data protection

Email alerts

Quarterly meetings

External legal advisers

Laws relevant to information security, including privacy and data protection

Webinars

Newsletters

Meetings on specific topics

Governance, Risk and Compliance team

Regulatory framework and requirements

Regulatory reporting

Email alerts

Quarterly meetings

Supplier Management

Contractual agreements, current and new bids

Email alerts

Quarterly meetings

Industry body

Laws, regulations, and other issues relevant to our industry

Seminars

Annual Conference

Regulatory Authority

Regulatory framework and requirements

Regulatory reporting

Official communications

Briefing events

Professional associations for information security

General legal, regulatory, and contractual issues for information security

National and regional meetings

Newsletters

Training

National and regional business groups

General legal, regulatory, and contractual issues for the business

National and regional meetings

Newsletters

Training

 

Table 1: Source of requirements

 

 

In general, AzeriCard LLC will rely on the right group or outside organisation to offer an interpretation of the pertinent sections of the object under review. Briefing papers, presentation materials, or other media may be used for this.

 

For reference purposes, the IS Manager must, if needed, procure complete copies of any pertinent source documents (such as laws or regulatory notices). These could be printed materials or digital files.

 

12.3       Assess implications.

The ISMS Manager is responsible for ensuring that a full assessment of the implications of the relevant items for the ISMS is carried out. 

 

The assessment will include the following aspects:

 

  • The extent of the necessary modifications to the ISMS's associated policies, procedures, forms, and plans.
  • Urgency of meeting the requirement
  • The effects of failing to comply with the obligation.
  • Available options for meeting the requirement.

 

12.4       Document requirements

Once assessed, the relevant requirements will be documented at a high level as part of the ISMS within the document Information Security Context, Requirements and Scope. According to the ISMS documentation procedures, any changes to this document will be tracked.

 

Details of the requirements will be documented in the SLA register, Contract register, and External Documented Information register where the details will include at least:

 

  • Identification code
  • Regulation name
  • Type of requirement – legislative, regulatory, contractual, other
  • Details of the requirement, at an appropriate level
  • The reason of applicability
  • Compliance level
  • Dates the requirement applies from and to
  • Tracking Frequency

 

Where needed, confirmation of the interpretation of the requirement will be obtained from a relevant source, for example AzeriCard LLC legal department.

 

12.5       Define approach to meeting requirements.

If an instant update to the ISMS is required due to a new or modified requirement, this shall be done as quickly as feasible, and all recipients of the pertinent policies and procedures will be informed of the revisions. If not, the modification will be taken into account at the following ISMS yearly review.

 

The External Documented Information register will be updated with specifics of the strategy to be used and, where necessary, links to pertinent papers.

 

12.6       Review and update

At routine review meetings with internal departments, new requirements and modifications to existing requirements will be covered, especially:

 

  • Legal department
  • ISMS team
  • RISK Management Team
  • Supplier Management

 

As part of the ISMS yearly assessment, all pertinent requirements will be revaluated at least annually. At this time, appropriate counsel will be sought to guarantee that all modifications have been noted.

 

This approach will be followed for any new or modified requirements that are found during the review process, and the necessary adjustments will be made.

 

13.          Configuration management

AzeriCard LLC should define and implement processes and tools to enforce the defined configurations (including security configurations) for hardware, software, services and networks, for newly installed systems as well as for operational systems over their lifetime.

Roles, responsibilities and procedures should be in place to ensure satisfactory control of all configuration changes.

Standard templates:

  • Standard templates for the secure configuration of hardware, software, services, and networks should be defined:
  • using publicly available guidance (e.g., pre-defined templates from vendors and from independent security organizations).
  • considering the level of protection needed to determine a sufficient level of security.
  • supporting AzeriCard LLC’s information security policy, topic-specific policies, standards, and other security requirements.
  • considering the feasibility and applicability of security configurations in AzeriCard LLC’s context.

The templates should be reviewed periodically and updated when new threats or vulnerabilities need to be addressed, or when new software or hardware versions are introduced.

The following should be considered for establishing standard templates for the secure configuration of hardware, software, services, and networks:

  • minimizing the number of identities with privileged or administrator-level access rights.
  • disabling unnecessary, unused, or insecure identities.
  • disabling or restricting unnecessary functions and services.
  • restricting access to powerful utility programs and host parameter settings.
  • synchronizing clocks.
  • changing vendor default authentication information such as default passwords immediately after installation and reviewing other important default security-related parameters.
  • invoking time-out facilities that automatically log off computing devices after a predetermined period of inactivity.
  • verifying that license requirements have been met.

Managing configurations:

Established configurations of hardware, software, services, and networks should be recorded and a log should be maintained for all configuration changes. These records should be securely stored. This can be achieved in various ways, such as configuration databases or configuration templates.

Changes to configurations should follow the change management process.

Configuration records can contain as relevant:

  • up-to-date owner or point of contact information for the asset.
  • date of the last change of configuration.
  • version of configuration template.
  • relation to configurations of other assets.

Monitoring configurations:

Configurations should be monitored with a comprehensive set of system management tools (e.g., maintenance utilities, remote support, enterprise management tools, backup and restore software) and should be reviewed on a regular basis to verify configuration settings, evaluate password strengths, and assess activities performed.

 

Actual configurations can be compared with the defined target templates. Any deviations should be addressed, either by automatic enforcement of the defined target configuration or by manual analysis of the deviation followed by corrective actions.

 

Other information:

Documentation for systems often records details about the configuration of both hardware and software. System hardening is a typical part of configuration management. Configuration management can be integrated with asset management processes and associated tooling.

Automation is usually more effective in managing security configuration (e.g., using infrastructure as code). Configuration templates and targets can be confidential information and should be protected from unauthorized access accordingly.

 

14.          Intellectual property rights

Copyright for software or documents, design rights, trademarks, patents, products and source code licences are all examples of intellectual property rights.

 

To safeguard any content that could be regarded as intellectual property, the following principles should be taken into account:

 

  1. establishing and disseminating a topic-specific intellectual property rights protection policy.
  2. Providing guidelines for using software and information items in conformity with intellectual property rights.
  3. purchasing only from reliable and well-known sources when purchasing software to prevent copyright infringement.
  4. keeping suitable asset registrations up to date and identifying any assets that need to be protected by intellectual property rights.
  5. preserving proof of ownership for documents like manuals and licences, etc.
  6. guaranteeing that no upper limit on the number of users or resources [such CPUs] set forth in the licence is exceeded.
  7. ensuring that only licenced products and authorised software are installed by conducting reviews.
  8. establishing mechanisms for maintaining suitable licence restrictions.
  9. establishing protocols for software disposal or software transfer.
  10. respecting the terms and conditions for any software or data downloaded from the internet or other sources.
  11. not making copies, converting to another format, or removing content from audio or video commercial recordings unless it is legal or has the necessary licences.
  12. not reproducing in whole or in part, unless expressly permitted by copyright law or the applicable licences, standards (such as ISO/IEC International Standards), books, articles, reports, or other works.

 

Accountable for this process is Chief Information Officer of Azericard LLC. All intellectual property rights regulation correlate with the process of Information classification policy.

 

Other information:

 

Typically, proprietary software products are provided with a licence agreement that outlines the terms and conditions of the licence, such as restricting use to a set of machines or allowing only backup copies to be made.

 

Information can be obtained from external sources.

 

Typically, such data is acquired in accordance with the provisions of a data sharing agreement or other equivalent legal document. Such data sharing agreements should specify what processing of the acquired data is allowed.

 

The source of the data should also be mentioned properly.

 

Copying of proprietary content may be constrained by legal, statutory, regulatory, and contractual obligations.

 

In particular, they can stipulate that only content created by AzeriCard LLC, licenced to AzeriCard LLC, or provided to AzeriCard LLC may be used.

Legal action for copyright violations may result in penalties and criminal charges.

 

AzeriCard LLC must manage the risks of its employees and third parties violating its own intellectual property rights in addition to its responsibility to respect the intellectual property rights of others

Korporativ loqo

Tərəfdaş banklar