1. Purpose
This Information Security Policy establishes a comprehensive framework to manage, protect, and secure sensitive and confidential information. It applies to all employees, contractors, and business units within the organization and aims to ensure that information is handled responsibly, securely, and in compliance with applicable legal, contractual, and regulatory obligations.
2. Scope
This policy applies to all organizational information assets, regardless of format, including digital, printed, or verbal data. It covers:
The handling of sensitive or confidential information.
Responsibilities of employees and management in safeguarding data.
Guidelines for using IT systems and resources securely.
3. Information Security Objectives
The policy aims to:
Ensure the availability, integrity, and confidentiality of information.
Establish clear roles and responsibilities for information security.
Protect information from unauthorized access, loss, damage, or misuse.
Comply with legal, regulatory, and contractual requirements.
Foster a culture of security awareness and accountability.
4. General Principles
Availability: Ensure information is accessible to authorized individuals when required.
Integrity: Safeguard information against unauthorized modification or destruction.
Confidentiality: Protect sensitive information from unauthorized disclosure.
Accountability: Assign clear responsibilities to employees and management to uphold security standards.
5. Responsibilities
Executive Oversight
CEO: The overall responsibility for information security lies with the CEO.
Chief Product Officer: Oversees the implementation and enforcement of this policy, ensures compliance, and manages the creation of related guidelines.
Managers
Ensure employees are aware of and comply with the information security policy.
Address security issues or uncertainties within their teams.
Employees
Read, understand, and comply with this policy.
Immediately report security incidents or suspicious activity.
6. Handling Sensitive Information
Information Classification
Sensitive Information: Data deemed highly confidential or private, requiring heightened security measures.
Such information must not be stored in cloud solutions unless explicitly authorized by the Client Partner and secured with encryption.
Storage and Distribution
All company and client-related information must be stored in approved locations:
Google Accounts managed by the company.
Google Drive for ongoing work and documentation.
Slack for temporary file transfers and collaboration (not for permanent storage).
Unauthorized storage methods, such as personal cloud services (e.g., Dropbox), are strictly prohibited.
Physical Documents
Printed sensitive materials must be securely disposed of using designated secure shredding containers.
7. IT Systems and Resources
General Systems
All information systems must adhere to ISO/IEC 27001 standards for security management.
System owners are responsible for maintaining compliance and documenting system details.
Protection Against External Threats
The organization ensures firewalls, antivirus software, and encryption tools are up to date and effective.
Routine penetration testing and vulnerability assessments are conducted.
Passwords and Authentication
Employees must maintain the confidentiality of their passwords and update them every six months.
Multi-factor authentication (MFA) is mandatory for all critical systems and applications.
8. Incident Reporting and Management
Incident Reporting: Employees must report security incidents or potential breaches immediately to the CPO and CEO.
Incident Review: All reported incidents are logged and analyzed to identify root causes and implement preventive measures.
Escalation: Significant incidents are escalated to the executive team for resolution and compliance reporting.
9. Internet, Email, and Social Media Usage
Internet
Internet use must align with business objectives and security protocols.
Employees are prohibited from accessing offensive, illegal, or unethical content.
Downloads from unknown sources are not permitted without approval.
Limited personal email use is permitted but may be subject to monitoring.
Employees are responsible for managing their email storage and setting up automatic replies during absences.
Monitoring
Internet and email traffic may be monitored for compliance with this policy.
10. Confidentiality Agreements
All employees must sign a confidentiality agreement as part of their employment contract, acknowledging their obligation to protect sensitive information.
Client-specific confidentiality agreements are managed by the CFO and must align with organizational standards.
11. Security Awareness and Training
All employees receive mandatory training on information security practices during onboarding and at regular intervals.
Employees are provided with resources and updates to stay informed about evolving security risks and best practices.
12. Policy Review and Updates
This policy is reviewed annually or whenever significant changes occur in technology, business operations, or regulatory requirements.
Feedback from audits, incidents, and employees informs necessary updates.
13. Goals of Information Security
Ensure that all employees understand and comply with security guidelines.
Maintain robust protection for information and IT resources.
Prevent and mitigate security incidents to minimize business impact.
Foster a culture of continuous improvement in information security.
14. Enforcement
Violations of this policy may result in disciplinary action, up to and including termination of employment.
Severe breaches or incidents involving legal implications will be reported to authorities as required.