This Information Security Policy is put into effect by the management and documents the basic requirements for information security at ITpoint Systems AG. It is the basis for all further instructions and activities in information security management and demonstrates the high value placed on the confidentiality, availability and integrity of information in the care of ITpoint Systems AG.
ITpoint Systems AG is aware of the fact that absolute security is not achievable in a flexibly used IT infrastructure. This policy therefore defines a level of security to strive for, taking into account factors such as functionality, costs, efficiency and legal requirements. In particular, ITpoint Systems AG is committed to the security of customer assets.
This document and the regulations it contains, as well as documents derived from it, are binding for all internal and external employees of ITpoint Systems AG and must be brought to their attention. The areas of application extend to all services, data, systems, components and services under the responsibility of ITpoint Systems AG. The security regulations of agreements with customers, partners and suppliers are aligned with the Information Security Policy.
By signing and completing the ITpoint Systems AG Information Security Compliance Test, the employee acknowledges that he/she has read and understood the Security Policy and the other requirements (see section 1.5).
Violations are defined as actions that have caused or could cause actual or potential harm. Damage is understood to include financial losses, damage to good reputation and legal violations with penalties. This also refers to the use of company and customer information for illegal or non-official purposes. Deliberate or grossly negligent violations of this Information Security Policy and regulations derived from it may have disciplinary or labor law consequences – in serious cases also criminal or civil law consequences. Warnings will be issued by the Security Manager or the direct supervisor and will be recorded in the personnel file.
In the event of non-compliance with contractual agreements relating to security, services provided may be restricted or discontinued.
The Information Security Policy is adopted and put into effect by the management of ITpoint Systems AG. It is reviewed regularly, but at least once a year, and updated if necessary. Changes are proposed by the Chief Information Security Officer at the Management Review, discussed and approved by the Executive Board. Exceptions are proposed by the Chief Information Security Officer or the Change Advisory Board and approved by the CEO or the Executive Board.
ITpoint Systems AG undertakes to comply with the following requirements:
Information is crucial to the success of ITpoint Systems AG and its customers. In addition to availability, the confidentiality of information is of the utmost importance. Every employee must therefore be aware of the need for information security and act accordingly. This is not only required by law, but also part of our obligations to customers and regulatory authorities. ITpoint Systems AG wants customers, employees, partners and suppliers to understand that ITpoint Systems AG is a secure and trustworthy service provider and service provider. The following security objectives have been adopted by the ITpoint Systems AG management:
In order to achieve the objectives, the following framework conditions must be observed and ensured.
The specifications on safety objectives and measures are brought to the attention of the employees at regular intervals, at least once a year. In particular, it is ensured that new internal or external employees are familiarized with the security regulations and made aware of their personal responsibility. ITpoint Systems AG offers its employees IT security training to promote awareness and pass on knowledge gained from day-to-day business. In addition, a regular security newsletter has been established, which is made available via the internal communication platform Yammer.
Risk assessments are carried out periodically as part of the risk management process. The risk management system is an integral part of the information security management system and is based on the ISO27005 standard. All relevant threats are assessed for the extent and frequency of damage in accordance with ISO 27005.
The risk analysis is used to determine in detail the risk based on conformity to the established ITpoint Systems AG security standards, as well as possible additional measures that will be taken in the event of an increased need for protection. The criteria of the need for protection are defined as follows:
The assets of ITpoint Systems AG are categorized according to confidentiality levels as per ITpoint Systems AG Security Policy
Basically, the requirements to perform an RA are as follows. Level equal to or greater than:
The defined measures in the information security management system cover the standard threats and vulnerabilities as part of basic security:
The risk acceptance criteria are defined by management and reviewed annually. If the risks are too high, measures are defined to mitigate them. The measures are transferred to the ITpoint Systems AG CSI register and processed.
ITpoint Systems AG takes technical and organizational security measures to protect and preserve all systems and data that are critical to our business and relevant to our operations.
The management of ITpoint Systems AG bears overall responsibility for security, makes decisions in this area and adopts the Security Policy. Periodically, but at least once a year, a management review takes place. The Security Manager prepares a security report for this purpose.
At a minimum, the report shall include the following:
Decided measures are documented in the minutes.
The CISO is defined as a staff position to the Executive Board. He forms the interface from the security & compliance team to the Executive Board. The Chief Information Security Officer is responsible for:
The Security & Compliance Manager is charged with ensuring the protection of information assets and is responsible for the implementation or coordination of security measures.
The information owners shall ensure within their area of responsibility that
Each business unit of ITpoint Systems AG is responsible for the security of its information in terms of confidentiality, integrity and availability and for adequate protection of the information according to its value and risk for the business or technical environment concerned. Users report violations of the Security Policy to the Service Desk, which consults the supervisor or the Security Manager. Service contracts refer to the obligations of information users with users, as do contracts with external employees.
An NDA is signed with partners or suppliers – if information is exchanged. The ITpoint Systems AG NDA applies mutually and for the cooperation defined in the NDA. If employees of partners need access to ITpoint Systems AG systems or an ITpoint Systems AG account, they are treated the same as internal employees. They must read the policies and instructions and pass the security test. Visitors must register on a visitor list when entering an ITpoint Systems AG office.
The crisis team is responsible for managing the handling of business-critical incidents (such as a Major Incident) that escalate to crises. The Continuity Manager is responsible for the development and continuous improvement of emergency preparedness. In the event of a major incident, the crisis team consists of at least the Major Incident Manager and the Communication Manager. If necessary, GL members and team leaders are called in. In the case of environmental crises (pandemic, environmental disaster, etc.), the crisis team is put together as required (see, for example, the pandemic plan).
ITpoint Information Security Policy
Version: 1.2 | 23.08.2021