Information Security Policy
1. Purpose
This Information Security Policy establishes the framework for safeguarding the confidentiality,
integrity, and availability of the Company’s information assets. The policy aims to protect against
security threats, ensure compliance with legal and regulatory requirements, and support the
organization’s business objectives.
2. Scope
The scope of the Information Security Management System and thus also the scope of this
policy includes all employees, contractors, and other individuals with access to the Company’s
information systems, including all physical and digital assets, data, applications, networks, and
cloud environments.
3. Roles and Responsibilities
● Senior Management: Ensures alignment of security initiatives with business objectives
and provides necessary resources.
● Information Security Officer (ISO): Oversees the implementation and enforcement of
security controls.
● Engineering/IT Department: Manages security technologies, monitors threats, and
ensures system integrity.
● Employees and Contractors: Adhere to security policies and report any security
incidents.
4. Information Security Objectives
The Company strives to achieve these key objectives:
● Confidentiality: Protect sensitive data from unauthorized access or disclosure.
● Integrity: Ensure data accuracy and prevent unauthorized modifications.
● Availability: Ensure reliable access to critical systems and data when needed.
5. Access Control
● Access to information systems must be granted on a need-to-know basis and approved
by the appropriate authority.
● Employees must use the Company’s single sign-on account where available and strong
passwords and multi-factor authentication (MFA) where SSO is not available.
● Privileged accounts must be monitored and reviewed regularly.
6. Data Protection
● Sensitive information must be encrypted during storage and transmission.
● Data retention policies must be enforced to ensure compliance with regulatory
requirements.
● Backups must be performed regularly and tested for data recovery.
7. Incident Management
● All security incidents must be reported to the Information Security Officer immediately.
� ● Incident response procedures must be followed to mitigate, investigate, and recover
from incidents.
● Security breaches must be documented and reviewed for lessons learned.
8. Security Awareness & Training
● All employees must complete security awareness training during onboarding and at least
annually thereafter.
● Periodic training may be provided in specific areas, such as phishing and social
engineering.
● Employees must acknowledge security policies upon hire and abide by all company
policies and procedures during the course of their employment.
● Upon significant changes to existing policies or procedures employees will be informed
or trained accordingly.
9. Compliance & Audit
● The organization must comply with applicable security regulations (e.g., ISO 27001,
SOC 2, GDPR, HIPAA).
● Regular internal and external audits must be conducted to assess compliance and
identify security gaps.
● Non-compliance with security policies may result in disciplinary action.
10. Policy Review & Updates
This policy must be reviewed and updated annually or as needed to address emerging threats
and regulatory changes. The Information Security Officer is responsible for ensuring updates
are communicated across the organization.
11. Enforcement
Violations of this policy may result in disciplinary actions, including termination of employment or
legal consequences, depending on the severity of the violation.
