IT AND INFORMATION SECURITY POLICY
Last updated [26.10.2020]
Information is an essential business asset for MyProduction (“Company”) and its customers and shall therefore be suitably protected from threats in order to ensure business continuity and minimize business risk.
Company and its suppliers will therefore have in place information security management systems and security controls in line with best market practice.
2. INFORMATION SECURITY
Company shall document goals and direction for its Information Security.
Company shall ensure that there is a clear allocation of responsibility for Information Security within its operations.
Company shall have an appointed person who is responsible for leading and coordinating the Information Security work.
Company shall classify all information related to the Services provided to its customers so that it is ascribed the right level of protection.
Company shall document the classification under Section 2 and appoint persons or functions who are responsible for the information processed within its operations.
When security incidents or data breaches related to the Services provided for customers are brought to Company’s attention, these must immediately be reported to customer.
3. IT OPERATIONS
Company shall ensure that its IT systems are sufficiently secure in relation to the nature of the information processed in the systems.
When assessing whether IT systems are sufficiently secure, Company should base this on the classification of information made under Section 2.
Company shall have documented overall goals and strategies for its IT Operations and regularly evaluate and update them if so required.
Company shall ensure that it is clear who is responsible for the various parts of Company’s IT Operations. Company shall appoint a person or function to be responsible for Company’s system requirements for each IT system.
Company shall have appropriate processes for managing its IT systems. Company shall document the processes and describe the circumstances of importance for managing its IT systems in a controlled way.
Company shall have documentation for each individual IT system that is of importance to the operation. These systems shall be specified in a list that is to be regularly reviewed and updated if so required.
The purpose of the documentation is to mitigate dependency on key personnel and ensure an internal knowledge base. The documentation shall at least describe how the IT system shall be used, functionality, relevant internal design and description of operational routines.
4. IT SECURITY
Company will implement IT Security control activities as part of its overall security strategy including but not limited to monitoring of security controls in place —such as firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), file-integrity monitoring (FIM), anti-virus, access controls, etc.—to ensure they are operating effectively and as intended.
Company will also endeavor to ensure that all failures in security controls are detected and responded to in a timely manner. Processes to respond to security control failures should include:
- Restoring the security control
- Identifying the cause of failure
- Identifying and addressing any security issues that arose during the failure of the security control
- Implementing mitigation (such as process or technical controls) to prevent the cause of the failure recurring
- Resuming monitoring of the security control, perhaps with enhanced monitoring for a period of time, to verify the control is operating effectively
Company will perform periodic reviews to confirm that IT Security requirements continue to be in place and personnel are following secure processes. These periodic reviews should cover all facilities and locations, including data centers, etc., and include reviewing system components (or samples of system components), to verify that IT Security requirements continue to be in place—for example, configuration standards have been applied, patches and AV are up to date, audit logs are being reviewed, and so on.
Company will review hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the entity’s security requirements.
5. CONTINGENCY MANAGEMENT
Company shall maintain a business contingency plan for reestablishing operations after unforeseen events. Company shall at least annually test the business contingency plan.