🏛️
The Common Policy and Standard Framework
  • Overview
    • Welcome
    • Style Guide
  • People Policies
    • Acceptable Use Policy
    • Human Resource Policy
  • Technology Policies
    • Cybersecurity Policy
      • Awareness & Training Requirements
      • Authentication Requirements
      • Identity & Access Requirements
    • Data Policy
  • Supporting Content
    • Approved Software
Powered by GitBook
On this page
  • Introduction
  • Scope
  • Policies
  • Govern Policies
  • Identify Policies
  • Protect Policies
  • Detect Policies
  • Respond Policies
  1. Technology Policies

Cybersecurity Policy

Introduction

The Security Policy establishes the leadership expectation around practices required to maintain secure systems. By following the cybersecurity policy and supporting standards, we ensure that we remain within the organization's risk tolerance. The organization's risk tolerance statement reads:

The integrity and confidentiality of our customers' and personnel's data, our intellectual property, and the ensured continuity of our operations are top priorities. Our organization considers any decisions or actions that expose our firm, counterparties, and customers to significant cybersecurity risk unacceptable.

Scope

This policy applies to all individuals who access company-provided systems. Whether you’re an employee, contractor, or visitor, these guidelines govern your use of networks, devices, and software.

Policies

Govern Policies

Organizational Context. The circumstances—mission, stakeholder expectations, and legal, regulatory, and contractual requirements—surrounding Facebook's cybersecurity risk management decisions are understood.

Risk Management Strategy. Facebook's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.

Cybersecurity Supply Chain Risk Management. Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by company stakeholders.

Roles, Responsibilities, and Authorities. Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated.

Policies, Processes, and Procedures. Facebook's cybersecurity policies, processes, and procedures are established, communicated, and enforced.

Oversight. Results of company-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy.

Identify Policies

Asset Management. Assets (e.g., data, hardware software, systems, facilities, services, people) that enable Facebook to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the company's risk strategy.

Risk Assessment. Facebook understands the cybersecurity risk to the company, assets, and people.

Improvement. Improvements to Facebook's cybersecurity risk management processes, procedures, and activities are identified across all Framework Functions.

Protect Policies

Identity Management, Authentication, and Access Control. Access to physical and logical assets is limited to authorized users, services, and hardware, and is managed commensurate with the assessed risk of unauthorized access (see the Authentication Requirements and Identity & Access Requirements).

Awareness and Training. Facebook's personnel are provided cybersecurity awareness and training so they can perform their cybersecurity-related tasks (See Awareness & Training Requirements).

Data Security. Data is managed in a manner consistent with Facebook's risk strategy to protect the confidentiality, integrity, and availability of information.

Platform Security. The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed in a manner consistent with Facebook's risk strategy to protect their confidentiality, integrity, and availability.

Technology Infrastructure Resilience. Security architectures are managed with Facebook's risk strategy to protect asset confidentiality, integrity, and availability, and company resilience.

Detect Policies

Continuous Monitoring. Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events.

Adverse Event Analysis. Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents.

Respond Policies

Incident Management. Responses to detected cybersecurity incidents are managed.

Incident Analysis. Investigation is conducted to ensure effective response and support forensics and recovery activities.

Incident Response Reporting and Communication. Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies.

PreviousHuman Resource PolicyNextAwareness & Training Requirements

Last updated 1 year ago

Page cover image