Information Security Policy for our Customers


1. Introduction

1.1 Purpose

This Information Security Policy is put into effect by the management and documents the basic requirements for information security at ITpoint Systems AG. It is the basis for all further instructions and activities in information security management and demonstrates the high value placed on the confidentiality, availability and integrity of information in the care of ITpoint Systems AG.

ITpoint Systems AG is aware of the fact that absolute security is not achievable in a flexibly used IT infrastructure. This policy therefore defines a level of security to strive for, taking into account factors such as functionality, costs, efficiency and legal requirements. In particular, ITpoint Systems AG is committed to the security of customer assets.


1.2 Validity area

This document and the regulations it contains, as well as documents derived from it, are binding for all internal and external employees of ITpoint Systems AG and must be brought to their attention. The areas of application extend to all services, data, systems, components and services under the responsibility of ITpoint Systems AG. The security regulations of agreements with customers, partners and suppliers are aligned with the Information Security Policy.


1.3 Violations

By signing and completing the ITpoint Systems AG Information Security Compliance Test, the employee acknowledges that he/she has read and understood the Security Policy and the other requirements (see section 1.5).

Violations are defined as actions that have caused or could cause actual or potential harm. Damage is understood to include financial losses, damage to good reputation and legal violations with penalties. This also refers to the use of company and customer information for illegal or non-official purposes. Deliberate or grossly negligent violations of this Information Security Policy and regulations derived from it may have disciplinary or labor law consequences – in serious cases also criminal or civil law consequences. Warnings will be issued by the Security Manager or the direct supervisor and will be recorded in the personnel file.

In the event of non-compliance with contractual agreements relating to security, services provided may be restricted or discontinued.


1.4 Approval and modification

The Information Security Policy is adopted and put into effect by the management of ITpoint Systems AG. It is reviewed regularly, but at least once a year, and updated if necessary. Changes are proposed by the Chief Information Security Officer at the Management Review, discussed and approved by the Executive Board. Exceptions are proposed by the Chief Information Security Officer or the Change Advisory Board and approved by the CEO or the Executive Board.


1.5 Legal, contractual and internal requirements

ITpoint Systems AG undertakes to comply with the following requirements:

  • Requirements from the law (CH DSG Data Protection Act, EU DSGVO Data Protection Basic Regulation)
  • Requirements from customer and supplier contracts
  • Internal higher-level requirements from the business strategy
  • Internal subordinate requirements from documents (current version in each case):
  • ITpoint Information Security Compliance Test
    • ITpoint Information Security Guidelines
    • ITpoint ISDS Public Cloud Guidelines
    • ITpoint Disk Guidelines
    • ITpoint Cryptographic Guidelines

2. Security Targets

Information is crucial to the success of ITpoint Systems AG and its customers. In addition to availability, the confidentiality of information is of the utmost importance. Every employee must therefore be aware of the need for information security and act accordingly. This is not only required by law, but also part of our obligations to customers and regulatory authorities. ITpoint Systems AG wants customers, employees, partners and suppliers to understand that ITpoint Systems AG is a secure and trustworthy service provider and service provider. The following security objectives have been adopted by the ITpoint Systems AG management:

  • Protection of assets and specifically information according to the criteria:
    • Confidentiality
    • Integrity
    • Availability
  • Agreements with customers regarding quality and security are permanently observed for all products and services offered by ITpoint Systems AG Systems. The security level of our products and services is in line with the market.
  • All employees assume their own responsibility with regard to security issues. The employees are enabled to do so through appropriate measures.
  • Contractual partners of ITpoint Systems AG (customers, partners, service providers, external consultants, suppliers, etc.) comply with the relevant security requirements. At least one mutual NDA is signed.
  • Legal requirements are complied with.

3. Implementation

In order to achieve the objectives, the following framework conditions must be observed and ensured.

3.1 Security awareness

The specifications on safety objectives and measures are brought to the attention of the employees at regular intervals, at least once a year. In particular, it is ensured that new internal or external employees are familiarized with the security regulations and made aware of their personal responsibility. ITpoint Systems AG offers its employees IT security training to promote awareness and pass on knowledge gained from day-to-day business. In addition, a regular security newsletter has been established, which is made available via the internal communication platform Yammer.


3.2 Risk Management

Risk assessments are carried out periodically as part of the risk management process. The risk management system is an integral part of the information security management system and is based on the ISO27005 standard. All relevant threats are assessed for the extent and frequency of damage in accordance with ISO 27005.

The risk analysis is used to determine in detail the risk based on conformity to the established ITpoint Systems AG security standards, as well as possible additional measures that will be taken in the event of an increased need for protection. The criteria of the need for protection are defined as follows:

Confidentiality

The assets of ITpoint Systems AG are categorized according to confidentiality levels as per ITpoint Systems AG Security Policy

  • External V0: Anyone can use them and there are no special requirements. A loss of such data would have no impact on the extent of the damage.
  • Internal V1: Information is freely available within ITpoint Systems AG according to the assigned access rights. A loss of such data would have an impact on the extent of the damage (Compliance/Financial/Image -> A2).
  • Confidential V2: Information is sensitive and only intended for defined persons. A loss of such data would have an enormous impact on the extent of the damage (Compliance/Financial/Image -> A3-A4).

Integrity

  • Normal I1: In principle, all assets have a normal protection requirement.
  • High I2: If the correctness and traceability of the asset’s content is essential for the company, it has a high protection requirement.

Availability

  • Low A1: Customers without SLA
  • Normal A2: Customers with SLA, 99.7%, RTO 72h
  • High A3: Customers with SLA, 99.7%, RTO 12h
  • Very High A4: ITpoint environment / CNG management environment

Basically, the requirements to perform an RA are as follows. Level equal to or greater than:

  • Confidentiality = V2
  • Integrity = I2
  • Availability = A3

The defined measures in the information security management system cover the standard threats and vulnerabilities as part of basic security:

  • Confidentiality = V1
  • Integrity = I1
  • Availability = A1, A2

The risk acceptance criteria are defined by management and reviewed annually. If the risks are too high, measures are defined to mitigate them. The measures are transferred to the ITpoint Systems AG CSI register and processed.


3.3 Security measures

ITpoint Systems AG takes technical and organizational security measures to protect and preserve all systems and data that are critical to our business and relevant to our operations.

Technical measures:

  • Identity & access management for sensitive infrastructures/applications
  • Monitoring solutions for the detection of security incidents
  • General security installations like firewall, antivirus, IDS/IPS, proxy, DDoS etc.
  • Secure remote access (VPN / 2FA)
  • Physical security of ITpoint Systems AG data centers such as lockable doors, access control, video surveillance, etc.
  • Data availability through redundant infrastructures
  • Restorability through backup / restore procedures
  • Cryptographic measures (data transmission)

Organizational measures:

  • Trained employees
  • Regulation concerning the handling of personal data
  • Personal audit
  • Management systems for information security, risk management, business continuity according to ISO/IEC 20000 and 27001
  • Certifications according to ISO/IEC 20000 and 27001
  • NDA / non-disclosure agreements with external service providers
  • ISAE3402 type 1 report
  • Order processing agreements for DSGVO relevant customer relationships
  • Order processing agreement with the parent company (Sharp)

4. Security organization

4.1 Executive Board

The management of ITpoint Systems AG bears overall responsibility for security, makes decisions in this area and adopts the Security Policy. Periodically, but at least once a year, a management review takes place. The Security Manager prepares a security report for this purpose.

At a minimum, the report shall include the following:

  • General condition of the safety management system
  • Audits performed
  • Development of the safety status
  • Definition and achievement of safety objectives
  • Risk situation and status of particular risks

Decided measures are documented in the minutes.


4.2 CISO

The CISO is defined as a staff position to the Executive Board. He forms the interface from the security & compliance team to the Executive Board. The Chief Information Security Officer is responsible for:

  • Definition of the company-wide information security policy (Information Security Policy)
  • Definition of security requirements in consultation with management
  • Establishment and operation of a risk management system
  • Development of information security related policies, standards and guidelines
  • Regular execution of internal and external security audits
  • Definition of KPIs with monitoring of the effectiveness of information security measures
  • Regular reporting
  • Support for information security issues and the definition of specific security requirements at management level
  • Development of awareness programs
  • Analysis of current threat situations and preparation of reports
  • Establishment and operation of the Information Security Management System (ISMS)
  • Exchange with security organizations and authorities
  • Gathering information about current threats and targeted countermeasures

4.3 Security & Compliance Manager

The Security & Compliance Manager is charged with ensuring the protection of information assets and is responsible for the implementation or coordination of security measures.

  • Definition of the company-wide information security policy
  • Establishment and operation of a risk management system
  • Development of information security-related policies, standards and guidelines
  • Regular execution of internal and external security audits
  • Definition of KPIs with monitoring of the effectiveness of information security measures
  • Regular reporting
  • Development of awareness programs
  • Analysis of current threat situations and preparation of reports
  • Establishment and operation of the new Information Security Management System (ISMS)
  • Exchange with security organizations and authorities
  • Gathering information about current threats and targeted countermeasures
  • Consulting and support of the departments in questions of information security as well as IT compliance
  • Auditing of IT projects

4.4 Information owner

The information owners shall ensure within their area of responsibility that

  • the information and systems are classified according to business relevance.
  • the security objectives are met.

4.5 Information user

Each business unit of ITpoint Systems AG is responsible for the security of its information in terms of confidentiality, integrity and availability and for adequate protection of the information according to its value and risk for the business or technical environment concerned. Users report violations of the Security Policy to the Service Desk, which consults the supervisor or the Security Manager. Service contracts refer to the obligations of information users with users, as do contracts with external employees.


4.6 Partners, suppliers, visitors

An NDA is signed with partners or suppliers – if information is exchanged. The ITpoint Systems AG NDA applies mutually and for the cooperation defined in the NDA. If employees of partners need access to ITpoint Systems AG systems or an ITpoint Systems AG account, they are treated the same as internal employees. They must read the policies and instructions and pass the security test. Visitors must register on a visitor list when entering an ITpoint Systems AG office.


4.7 Crisis team and emergency management

The crisis team is responsible for managing the handling of business-critical incidents (such as a Major Incident) that escalate to crises. The Continuity Manager is responsible for the development and continuous improvement of emergency preparedness. In the event of a major incident, the crisis team consists of at least the Major Incident Manager and the Communication Manager. If necessary, GL members and team leaders are called in. In the case of environmental crises (pandemic, environmental disaster, etc.), the crisis team is put together as required (see, for example, the pandemic plan).


ITpoint Information Security Policy
Version: 1.2 | 23.08.2021