This Information Security Policy is put into effect by the management team and documents the basic requirements for information security at ITpoint Systems AG. It is the basis of all further instructions and activities in information security management and demonstrates the importance of confidentiality, availability and integrity of information in the custody of ITpoint Systems AG.
ITpoint Systems AG is aware of the fact that absolute security is not achievable in a flexible IT infrastructure. This policy therefore defines a level of security to be pursued, taking into account factors such as functionality, cost, efficiency and legal regulations. In particular, ITpoint Systems AG is committed to the security of customer values.
This document and the regulations contained therein, as well as the documents derived therefrom, are binding and must be brought to the attention of all internal and external employees of ITpoint Systems AG. The scope covers all technical services, data, systems, components and customer services under the responsibility of ITpoint Systems AG.
The security regulations of agreements with customers, partners and suppliers are aligned with the Information Security Policy.
By signing and completing the ITpoint Systems AG Information Security Compliance Test, the employee acknowledges that he/she has read and understood the Security Policy and the other requirements (see section 1.5).
Violations are actions that have caused or could cause damage, either actual damage or potential damage. Damage is understood to mean financial losses, damage to good reputation and legal violations with criminal consequences. This also applies to the use of company and customer information for illegal or non-service purposes. Intentional or grossly negligent violations of this Information Security Policy and regulations derived from it may have disciplinary or labour law consequences – in serious cases also criminal or civil law consequences. Warnings are issued by the Security Manager and the direct manager and are recorded in the personnel file. In the event of non-compliance with contractual agreements relating to security, services provided may be restricted or discontinued.
Employees in management functions are concerned that security requirements are met and report breaches to HR and the Security & Compliance team. This is further supported by reviewing the results of internal audits, by results provided by monitoring and measurement tools, and by assessing the results achieved against security objectives and key performance indicators (KPIs). In addition, those responsible must determine how any non-conformities identified are to be handled.
The Information Security Policy is adopted and enacted by the ITpoint Systems AG management team. It is checked and, if necessary, modified at least once a year. Changes are proposed by the Chief Security Officer at the Management Review meeting, discussed and approved by the management team. Exceptions are proposed by the Chief Security Officer or the Change Advisory Board and approved by the CEO or executive board.
ITpoint Systems AG commits to comply with the following requirements:
*currently not translated into English
Information is an important factor to the success of ITpoint Systems AG and its customers. In addition to availability, the confidentiality of information is of the utmost importance. Every person must therefore be aware of the need to information security and act accordingly. This is not only required by law, but also part of our obligations towards customers and regulators. ITpoint Systems AG wants customers, employees, partners and suppliers to understand that ITpoint Systems AG is a secure and trustworthy service provider. The following security objectives have been adopted by ITpoint management:
In order to In order to achieve the objectives, the following framework conditions must be observed and ensured.
The requirements for safety objectives and measures are brought to the attention of the organization at regular intervals, at least once a year. In particular all new internal or external employees are familiarized with the security regulations and that their personal responsibility is pointed out. ITpoint Systems AG offers its employees IT security trainings in order to promote awareness and pass on security experience from day-to-day business. In addition, a regular security newsletter has been established, which is made available via the company internal communication platform.
Risk assessments are carried out periodically as part of the risk management process. Risk management is an essential part of the information security management system and is based on the ISO27005 standard. All relevant ISO27005 threats are assessed for damage and frequency. In addition, the ENISA Top 15 threats are periodically reviewed and reassessed.
The risk analysis is used to determine the risk in detail based on compliance with the defined ITpoint safety standards, as well as possible additional measures taken in the event of increased protection requirements. The criteria for the need for protection are defined as follows:
ITpoint assets are categorized according to confidentiality levels in accordance with the ITpoint Security Policy
In principle, the requirements for the execution of an RA are as follows:
The defined measures in the Information Security Management System cover the standard threats and vulnerabilities as part of basic security:
The risk acceptance criteria are defined by the management and reviewed annually. If risks are too high, measures to reduce them are defined (risk mitigation). The measures are transferred to the ITpoint Systems AG Continual Service Improvement (CSI) register and mitigated accordingly.
ITpoint Systems AG takes technical and organizational security measures to protect and maintain all systems and data critical to our business and relevant to our business activities.
The management team of ITpoint Systems AG has the overall responsibility for security, makes decisions in this area and adopts the security policy. A management review takes place periodically, but at least once a year. The Security Manager and the Process Manager produce a consolidated ISO20000/27001 management report, which is electronically signed by senior management.
The report shall include at least the following aspects related to ISO27001:
Decided measures are documented in the protocol.
The CISO (Chief Information Security Officer) is defined as a staff position of the management team. The CISO forms the interface between the Security & Compliance Team and the management board. The Chief Information Security Officer is responsible for:
The Information Security & Compliance Manager is responsible for ensuring the protection of information values and is responsible for the implementation and coordination of security measures.
Information owners have the responsibility to:
Each business entity is committed to the security of its information in terms of confidentiality, integrity and availability and responsible to ensure adequate protection of the information according to its value and risk to the relevant business or technical environment. Users report security policy violations to the security manager or their line manager, who in turn includes the security manager.
Service contracts as well as contracts with external employees, refer to the obligations of information users regarding information security.
A Non Disclosure Agreement (NDA) will be signed with partners or suppliers when information is being exchanged. The ITpoint NDA applies to both parties, ITpoint and to the cooperation defined in the NDA. If partner employees need access to ITpoint systems or an ITpoint account, they will be treated in the same way as internal employees. They must read the policies, guidelines and instructions and pass the security test. Visitors must register on a visitor list when entering an ITpoint office.
The crisis unit is responsible for managing and handling of major incidents that potentially escalate into a crisis. The Business Continuity Manager is responsible for the development and continuous improvement of emergency procedures.
In the event of a major incident, the crisis team shall consist of at least the Major Incident Manager and the Communication Manager. If necessary, management team members and team leaders are called in for support. In the case of environmentally related crises (such as pandemic, environmental disaster), the crisis team is put together as required and according to separate plans (Please, see pandemic plan for reference).
ITpoint Information Security Policy
Version: 1.5 | 20.06.2022