Information Security Policy for our Customers


1. Introduction

1.1 Purpose

This Information Security Policy is put into effect by the management team and documents the basic requirements for information security at ITpoint Systems AG. It is the basis of all further instructions and activities in information security management and demonstrates the importance of confidentiality, availability and integrity of information in the custody of ITpoint Systems AG.

ITpoint Systems AG is aware of the fact that absolute security is not achievable in a flexible IT infrastructure. This policy therefore defines a level of security to be pursued, taking into account factors such as functionality, cost, efficiency and legal regulations. In particular, ITpoint Systems AG is committed to the security of customer values.


1.2 Scope

This document and the regulations contained therein, as well as the documents derived therefrom, are binding and must be brought to the attention of all internal and external employees of ITpoint Systems AG. The scope covers all technical services, data, systems, components and customer services under the responsibility of ITpoint Systems AG.

The security regulations of agreements with customers, partners and suppliers are aligned with the Information Security Policy.


1.3 Violations

By signing and completing the ITpoint Systems AG Information Security Compliance Test, the employee acknowledges that he/she has read and understood the Security Policy and the other requirements (see section 1.5).

Violations are actions that have caused or could cause damage, either actual damage or potential damage. Damage is understood to mean financial losses, damage to good reputation and legal violations with criminal consequences. This also applies to the use of company and customer information for illegal or non-service purposes. Intentional or grossly negligent violations of this Information Security Policy and regulations derived from it may have disciplinary or labour law consequences – in serious cases also criminal or civil law consequences. Warnings are issued by the Security Manager and the direct manager and are recorded in the personnel file. In the event of non-compliance with contractual agreements relating to security, services provided may be restricted or discontinued.

Employees in management functions are concerned that security requirements are met and report breaches to HR and the Security & Compliance team. This is further supported by reviewing the results of internal audits, by results provided by monitoring and measurement tools, and by assessing the results achieved against security objectives and key performance indicators (KPIs). In addition, those responsible must determine how any non-conformities identified are to be handled.


1.4 Approval and modification

The Information Security Policy is adopted and enacted by the ITpoint Systems AG management team. It is checked and, if necessary, modified at least once a year. Changes are proposed by the Chief Security Officer at the Management Review meeting, discussed and approved by the management team. Exceptions are proposed by the Chief Security Officer or the Change Advisory Board and approved by the CEO or executive board.


1.5 Legal, contractual and internal requirements

ITpoint Systems AG commits to comply with the following requirements: 

  • Requirements by Law (Swiss DSG Data Protection Act, EU GDPR General Data Protection
    Regulation)
  • Requirements defined in customer and supplier contracts
  • Internal, overarching requirements from the business strategy
  • Internal subordinate requirements from following documents:
    • ITpoint Information Security Compliance Test
    • ITpoint Information Security Guidelines
    • ITpoint PublicCloudServices Guidelines*
    • ITpoint Data Carrier Guidelines*
    • ITpoint Cryptographic Guidelines*

*currently not translated into English


2. Security goals

Information is an important factor to the success of ITpoint Systems AG and its customers. In addition to availability, the confidentiality of information is of the utmost importance. Every person must therefore be aware of the need to information security and act accordingly. This is not only required by law, but also part of our obligations towards customers and regulators. ITpoint Systems AG wants customers, employees, partners and suppliers to understand that ITpoint Systems AG is a secure and trustworthy service provider. The following security objectives have been adopted by ITpoint management:

  • Protection of assets and in particular information focusing on:
    • Confidentiality
    • Integrity
    • Availability
  • The agreements with customers regarding quality and safety are permanently adhered to for all products and services offered by ITpoint. The level of safety of our products and services is market oriented.
  • All employees assume their own responsibility regarding security concerns. Employees are able to do so by awareness of the appropriate measures.
  • ITpoint contractors (customers, partners, service companies, external consultants, suppliers, etc.) comply with the relevant security requirements. At least one mutual Non Disclosure Agreement (NDA) will be signed.
  • Legal regulations are complied with.

3. Implementation

In order to In order to achieve the objectives, the following framework conditions must be observed and ensured.

3.1 Security awareness

The requirements for safety objectives and measures are brought to the attention of the organization at regular intervals, at least once a year. In particular all new internal or external employees are familiarized with the security regulations and that their personal responsibility is pointed out. ITpoint Systems AG offers its employees IT security trainings in order to promote awareness and pass on security experience from day-to-day business. In addition, a regular security newsletter has been established, which is made available via the company internal communication platform.


3.2 Risk Management

Risk assessments are carried out periodically as part of the risk management process. Risk management is an essential part of the information security management system and is based on the ISO27005 standard. All relevant ISO27005 threats are assessed for damage and frequency. In addition, the ENISA Top 15 threats are periodically reviewed and reassessed.  

The risk analysis is used to determine the risk in detail based on compliance with the defined ITpoint safety standards, as well as possible additional measures taken in the event of increased protection requirements. The criteria for the need for protection are defined as follows:

Confidentiality

ITpoint assets are categorized according to confidentiality levels in accordance with the ITpoint Security Policy

  • External V0: Anyone can use them and there are no special requirements. A loss of such data would have no impact on the extent of the damage.
  • Internal V1: Information is freely available within ITpoint Systems AG in accordance with the allocated access rights. Loss of such data would have an impact on the extent of the damage (Compliance/Financial/Image -> A2)
  • Confidential V2: Information is sensitive and intended only for defined persons. Loss of such data would have a huge impact on the extend of the damage (Compliance/Financial/Image -> A3-A4)

Integrity

  • Normal I1: In principle, all assets have a normal need for protection
  • High I2: If the correctness and comprehensibility of the contents of the asset is essential for the company, it has a high need for protection

Availability

  • Low A1: Customers without SLA
  • Normal A2: Customers with SLA, 99.7%, RTO 72h
  • High A3: Customers with SLA, 99.7%, RTO 12h
  • Very High A4: ITpoint environment / CNG management environment

In principle, the requirements for the execution of an RA are as follows:

  • Confidentiality = V2
  • Integrity = I2
  • Availability = A3

The defined measures in the Information Security Management System cover the standard threats and vulnerabilities as part of basic security:

  • Confidentiality = V1
  • Integrity = I1
  • Availability = A1, A2

The risk acceptance criteria are defined by the management and reviewed annually. If risks are too high, measures to reduce them are defined (risk mitigation). The measures are transferred to the ITpoint Systems AG Continual Service Improvement (CSI) register and mitigated accordingly.


3.3 Safety precautions

ITpoint Systems AG takes technical and organizational security measures to protect and maintain all systems and data critical to our business and relevant to our business activities.

Technical measures:

  • Identity & Access Management for sensitive infrastructures/applications
  • Surveillance solutions to detect security incidents
  • General security devices such as firewall, anti-virus protection, IDS/IPS, proxy, DDoS, etc.
  • Secure remote access (VPN / 2FA)
  • Physical security of ITpoint data centers such as lockable doors, access control, video surveillance, etc.
  • Availability of data through redundant infrastructures
  • Recoverability through backup / restore procedures
  • Cryptographic measures (data encryption / data transmission)
  • Ransomware protection on Common Internet File System (CIFS) file system
  • Vulnerability management by means of regular vulnerability scans
  • Ransomware-proof immutable backup
  • Active Directory (AD) auditing using Netwrix reports

Organizational measures:

  • Trained employees
  • Regulation regarding the handling of personal data
  • Employee background check
  • Management systems for information security, risk management, business continuity according to ISO/IEC 20000 and 27001
  • ISO/IEC 20000 certifications
  • NDA / Non-disclosure agreements with external service providers
  • ISAE3402 Type 2 Report
  • Order processing contracts for GDPR relevant customer relationships
  • Order processing contract with parent company (Sharp)
  • Order processing contracts according to new Swiss data protection law (from Sept. 2023)
  • Order processing contracts for partner companies (subcontractors) according to new Swiss data protection law (from Sept. 2023)

4. Security organization

4.1 Management

The management team of ITpoint Systems AG has the overall responsibility for security, makes decisions in this area and adopts the security policy. A management review takes place periodically, but at least once a year. The Security Manager and the Process Manager produce a consolidated ISO20000/27001 management report, which is electronically signed by senior management.

The report shall include at least the following aspects related to ISO27001:

  • General state of the security management system
  • Audits performed
  • Development of security status
  • Definition and achievement of safety objectives
  • Risk situation and status of special risks

Decided measures are documented in the protocol.


4.2 CISO

The CISO (Chief Information Security Officer) is defined as a staff position of the management team. The CISO forms the interface between the Security & Compliance Team and the management board. The Chief Information Security Officer is responsible for:

  • Definition of the enterprise wide Information Security Policy
  • Definition of security requirements in consultation with the management team
  • Establishment and operation of an information risk management system
  • Development of information security related policies, standards and guidelines
  • Regular execution of internal and external security audits
  • Definition of KPI with control of the effectiveness of information security measures
  • Regular reporting
  • Support information security issues and the definition of specific security requirements at management level
  • Developing awareness programs
  • Analysis of the current threat situation and preparation of corresponding management reports
  • Establishment and operation of the new Information Security Management System (ISMS)
  • Regular exchange with security organizations and authorities
  • Gathering information on current threats as well as targeted countermeasures

4.3 Information Security & Compliance Manager

The Information Security & Compliance Manager is responsible for ensuring the protection of information values and is responsible for the implementation and coordination of security measures.

  • Definition of the enterprise wide Information Security Policy
  • Structure and operation of the information risk management systems
  • Development of information security related policies, standards and guidelines
  • Regular execution of internal and external security audits
  • Definition of KPI with control of the effectiveness of information security measures
  • Regular Reporting
  • Developing awareness programs
  • Analysis of the current threat situation and preparation of corresponding management reports
  • Establishment and operation of the new Information Security Management System (ISMS)
  • Regular exchange with security organizations and authorities
  • Gathering information on current threats as well as targeted countermeasures
  • Advising and supporting the specialist departments on information security and IT compliance issues
  • Execution of IT project audits

4.4 Information owner

Information owners have the responsibility to:

  • Classify information and systems according to the business relevance
  • Adhered to security objectives

4.5 Information user

Each business entity is committed to the security of its information in terms of confidentiality, integrity and availability and responsible to ensure adequate protection of the information according to its value and risk to the relevant business or technical environment. Users report security policy violations to the security manager or their line manager, who in turn includes the security manager.

Service contracts as well as contracts with external employees, refer to the obligations of information users regarding information security.


4.6 Partners, Suppliers, Visitors

A Non Disclosure Agreement (NDA) will be signed with partners or suppliers when information is being exchanged. The ITpoint NDA applies to both parties, ITpoint and to the cooperation defined in the NDA. If partner employees need access to ITpoint systems or an ITpoint account, they will be treated in the same way as internal employees. They must read the policies, guidelines and instructions and pass the security test. Visitors must register on a visitor list when entering an ITpoint office.


4.7 Crisis unit and emergency management

The crisis unit is responsible for managing and handling of major incidents that potentially escalate into a crisis. The Business Continuity Manager is responsible for the development and continuous improvement of emergency procedures.

In the event of a major incident, the crisis team shall consist of at least the Major Incident Manager and the Communication Manager. If necessary, management team members and team leaders are called in for support. In the case of environmentally related crises (such as pandemic, environmental disaster), the crisis team is put together as required and according to separate plans (Please, see pandemic plan for reference).


5. Signature

This Policy is effective as of the date of signature and will be signed electronically. It will be made available to all parties through our website www.itpoint.ch and www.oria.ch.


ITpoint Information Security Policy
Version: 1.5 | 20.06.2022