Information security is a part of the organization's management and quality process that must contribute to the handling of information being carried out in a decided manner and with the intended security.
Introduction
The company works with assignments that can often be considered sensitive or confidential in nature. The assignments may relate to sensitive or confidential information concerning individuals or companies or relate to sensitive or confidential information owned by companies or individuals.
As a business strategist for the company’s clients, the company and its employees have a contractual, and in some cases also, a legal responsibility to protect such information that may be considered sensitive or confidential.
This policy document has been added to inform the company’s employees about the rules to be applied to all information management in the company. The policy document must be read by all employees and a document must be signed after reading as a receipt that this has been done. The policy document must be routinely presented to all new employees in connection with introductory programs or equivalent. The policy is also available on the company's application – Howwe®.
General Information Security
Information is one of the company’s customers' most important assets and is a prerequisite for being able to run the business. The company’s and its customers' information assets must therefore be treated and protected in a satisfactory manner.
Starting points in the company’s work with information security are:
Applicable laws, ordinances, and regulations
The company’s own requirements
The requirements of the company’s clients
The company’s agreements
Information assets refer to all information regardless of whether it is processed manually or automatically and regardless of the form or environment in which it occurs. Information security includes the company’s information assets without exception.
In the company’s organization, information security refers to:
That the right information is available when it is needed for the right person at the right time and in a traceable way.
That the information is and remains correct.
That information is handled in a secure way.
Information security is an integral part of the company’s business. Everyone who handles information assets has a responsibility to maintain information security.
It is also the responsibility of managers at all levels to actively work for a positive attitude towards se work.
Everyone should be aware of and report events that may affect the security of the company’s information assets. All parts of the organization are bound by the company’s information security policy, which means that it is not permitted to decide on local rules that deviate from this.
Anyone who uses the company’s information resources in a manner that is contrary to this policy may be subject to action.
The company guarantees its clients a high level of security, which places great demands on the company’s systems, system environment, the company’s way of working and the company’s employees. Safety is always the focus of the company’s attention and the company therefore urges everyone who is an employee to let safety issues come first in their daily work.
The company protect its information by systematically protecting and restricting access to information and below are list some of the methods and principles that are applied:
The company follow the current legislation
The company’s common database has different authorization level
The company protect electronic information through periodic backups
The company have protection against viruses and other intrusion attempts
Authorization levels are applied in the business with regard to limiting the possibilities for unauthorized access to sensitive information.
General for work with commissioned activities within the company
Information about, or which can be traced to, the company’s clients or information about the company’s assignments, may under no circumstances be stated as unauthorized, i.e., persons who are not employees of the company given that permission has not been granted by the CEO or Information Security Officer.
Through their employment agreement, all employees in the company sign a confidentiality agreement that includes a duty of confidentiality regarding the handling of sensitive and confidential information. Through their employment, employees have also confirmed the company’s information security policy.
If there is uncertainty about the company’s restrictions, ask the nearest manager.
Confidentiality agreement
In general, the company’s assignment agreements, including confidentiality agreements, shall be applied to all assignments. If the assignment requires that a special confidentiality agreement be applied, the nearest manager is consulted.
If a client demands that a confidentiality agreement other than the company’s should be applied, such agreement must always be submitted to the CFO.
Customer manager
Each assignment must have a customer partner (Client Partner) appointed who is responsible for the assignment being conducted in a professional manner, that the assignment is delivered on time and in such a way that it in all respects corresponds to the standard the company established.
Protected reference
Assignments that can be judged to be of a particularly sensitive or confidential nature must always be given an anonymizing project name. Project names are determined by the Client Partner and shall, if necessary, be used internally and externally to protect the client. The use of special project names is decided by the Client Partner.
Rules for the use of the internet, email and social media
The company’s policy is that the use of the Internet for private purposes during working hours shall be restrictive and limited to absolutely necessary private matters such as travel orders and the like. Should it be discovered that an employee goes further in its use, this may have consequences for the employment relationship.
All Internet traffic can pose security risks to the company’s regular operations and all employees are therefore encouraged to be careful in their Internet use. This is especially true if you download software from unknown sources. In case of doubt, contact the Information Security Officer or the immediate supervisor. All internet use, communication, handling, storage or distribution where racist, pornographic or criminal material occurs is not permitted. Internet traffic in the company’s equipment and networks may be monitored as necessary and the company reserves the right to review all traffic that has passed the company’s computers and networks at any time.
E-mail traffic for private purposes is permitted to a limited extent, but the employee must then understand that such email may be subject to review.
Rules for the protection of sensitive information
Storage or distribution of information must always take place in a secure manner. The person responsible for this always happening, lies with the employee and with the responsible manager of the business.
The information security manager is responsible for ensuring that the company’s Instructions for storing information are always updated and known to the company's managers.
If the information is physically printed, it is the employee's responsibility to handle it carefully and destroy it in the intended secure container by a third party. This is located in the storage room at Skeppsbron 44. Each employee is responsible for not throwing these in the trash.
Instruction for storing information
All information concerning the company or the client must be stored in a place administered and designated by the company. As a company employee, you should not store information locally on your computer. This is to prevent loss of information if the computer is damaged or lost and to ensure adequate security.
The following places are designated and approved storage areas
Google Accounts managed by the company
Google Drive is the company’s cloud-based file storage service. All other work documentation is stored here, both internally and externally.
In addition to this it is allowed to use Slack to transfer and comment on ongoing work, however note that such files are not stored permanently. Mail should be avoided as a storage method.
It is not allowed to store on other surfaces, devices or private cloud solutions such as Dropbox or the like.
Information classification
From time to time, the company may handle information that is classified as particularly sensitive. It is the Client Partner's responsibility to decide in consultation with the customer if this is the case. Information described as "Particularly sensitive" must not be shared in a cloud solution but stored on an external device (USB memory, external hard drive or similar) which must be stored locked in the company safe in the office when not in use. The external device must be marked with a customer designation and protected by encryption that only relevant personnel have access to.
Password
All employees undertake to keep their passwords secret and change them every six months. This is reminded at each Kick-off.
Goals
The overall goal of this policy is to prevent the company’s information from being handled incorrectly in the company’s daily work and in the event of disturbances of various kinds. For the company’s information security work, the following must apply:
all personnel have knowledge of current information security rules
all information is secure, efficient and contributes to increased protection and support for employees, collaborating partners and third parties
entered agreements are known and followed
all assets including information and technical equipment have adequate protection
there is access to a common, secure and well-defined infrastructure for external and internal data communication
events in the information systems that can lead to negative consequences are prevented
Organization, roles & responsibilities
Overall responsibility
The overall responsibility for information security lies with Per Forslund, CEO. Information security officer is Stina Åkesson, CFO.
The CPO is responsible for fulfilling the continuity plan for the IT support.
Roles & responsibilities
Organization, roles and distribution of responsibilities must contribute to the information being administered and handled in a correct manner. This also applies to the company’s information systems so that throughout their lifetime they contribute to supporting the intended activities and meeting the policy's goals. The company’s information systems with all their parts are a resource in the business in the same way as staff, premises, office supplies etc.
An Information Security Officer is responsible for supervising and controlling that the information security policy in the company is complied with and that applicable laws and regulations are applied. The information security manager is also responsible for creating guidelines that clarify the responsibilities and powers of employees in relation to the network.
The operations managers in general are responsible for ensuring that the information security policy is applied in the day-to-day operations and that employees understand this.
The responsible manager is responsible for informing employees and new employees about information security policy. At the same time, it is a stated requirement that employees have their own responsibility to take part in this. If there is uncertainty or other issues concerning information or communication management, the immediate supervisor must always be consulted or alternatively responsible for information security.
Information systems
General information systems
All information systems must be identified and listed and system owners for these are designated. All information systems must comply with the information security guidelines described by ISO / IEC 27001 recommendations.
Incident & problem reporting (internal)
For day-to-day operations, incidents / problems or situations that are deemed to contain security aspects must always be reported without delay to the Information Security Officer and to the CEO. Incidents are reported via e-mail and stored in the incident reporting management system.
Protection against external intrusion
The company guarantees reasonable protection against external intrusion in relation to the nature of the business. This means that firewalls, virus protection, encryption are up to date and active.
Revision & Follow-up
Follow-up is an important part of the information security work to ensure that:
decided measures have been implemented
rules are followed
that policies and instructions are revised if necessary.
This information security policy and associated instructions must be revised, when necessary, but at least once a year by the Information Security Officer. Audit documents are available separately.