This Information Security Policy is put into effect by the management team and documents the basic requirements for information security at ITpoint Systems AG. It is the basis of all further instructions and activities in information security management and demonstrates the importance of confidentiality, availability and integrity of information in the custody of ITpoint Systems AG.
ITpoint Systems AG is aware of the fact that absolute security is not achievable in a flexible IT in-frastructure. This policy therefore defines a level of security to be pursued, taking into account factors such as functionality, cost, efficiency and legal regulations. In particular, ITpoint Systems AG is committed to the security of customer values.
This document and the regulations contained therein, as well as the documents derived therefrom, are binding and must be brought to the attention of all internal and external employees of ITpoint Systems AG. The scope covers all technical services, data, systems, components and customer services under the responsibility of ITpoint Systems AG.
The security regulations of agreements with customers, partners and suppliers are aligned with this Information Security Policy.
Violations are actions that have caused or could cause damage, either actual damage or potential damage. Damage is understood to mean financial losses, damage to good reputation and legal violations with criminal consequences. This also applies to the use of company and customer information for illegal or non-service purposes.
Intentional or grossly negligent violations of this Information Security Policy and regulations derived from it may have disciplinary or labour law consequences – in serious cases also criminal or civil law consequences.
The Information Security Policy is adopted and enacted by the ITpoint Systems AG management team. It is checked and, if necessary, modified at least once a year.
Changes are proposed by the Chief Security Officer at the Management Review meeting, discussed and approved by the management team.
Exceptions are proposed by the Chief Security Officer or the Change Advisory Board and approved by the CEO or executive board.
ITpoint Systems AG is committed to comply with all legal and contractual requirements.
Information is an important factor to the success of ITpoint Systems AG and its customers. In addition to availability, the confidentiality of information is of the utmost importance. Every person must therefore be aware of the need to information security and act accordingly. This is not only required by law, but also part of our obligations towards customers and regulators. ITpoint Systems AG wants customers, employees, partners and suppliers to understand that ITpoint Systems AG is a secure and trustworthy service provider.
The following security objectives have been adopted by ITpoint management:
In order to achieve the objectives, the following framework conditions must be observed and ensured.
The requirements for safety objectives and measures are brought to the attention of the organization at regular intervals, at least once a year. In particular all new internal or external employees are familiarized with the security regulations and that their personal responsibility is pointed out. IT-point Systems AG offers its employees IT security trainings in order to promote awareness and pass on security experience from day-to-day business. In addition, a regular security newsletter has been established, which is made available via the company internal communication platform.
Risk assessments are carried out periodically as part of the risk management process. Risk man-agement is an essential part of the information security management system and is based on the ISO27005 standard. All relevant ISO27005 threats are assessed for damage and frequency. In addition, the ENISA threat landscape is periodically reviewed and reassessed.
The risk analysis is used to determine the risk in detail based on compliance with the defined IT-point safety standards, as well as possible additional measures taken in the event of increased protection requirements.
The defined measures in the Information Security Management System (ISMS) cover the standard threats and vulnerabilities as part of basic security.
The risk acceptance criteria are defined by the management and reviewed annually.
If risks are too high, measures to reduce them are defined (risk mitigation).
ITpoint Systems AG takes technical and organizational security measures to protect and maintain all systems and data critical to our business and relevant to our business activities.
The management team of ITpoint Systems AG has the overall responsibility for security, makes decisions in this area and adopts the security policy. A management review takes place periodically, but at least once a year. The Security Manager and the Process Manager produce a cosolidated ISO20000/27001 management report, which is signed by senior management.
The report shall include at least the following aspects related to ISO27001:
Decided measures are documented in the protocol.
The CISO (Chief Information Security Officer) is defined as a staff position of the management team. The CISO forms the interface between the Security & Compliance Team and the management board.
The Information Security & Compliance Manager is responsible for ensuring the protection of in-formation values and is responsible for the implementation and coordination of security measures.
Information owners have the responsibility to:
Each business entity is committed to the security of its information in terms of confidentiality, in-tegrity and availability and responsible to ensure adequate protection of the information according to its value and risk to the relevant business or technical environment.
Service contracts as well as contracts with external employees, refer to the obligations of infor-mation users regarding information security.
A Non Disclosure Agreement (NDA) will be signed with partners or suppliers when information is being exchanged. The ITpoint NDA applies to both parties, ITpoint and to the cooperation defined in the NDA.
A separate process is initiated for crisis management and regularly reviewed by means of crisis team exercises.
The crisis team has the task of managing the handling of business-critical incidents (such as a major incident) that escalate into crises.
ITpoint Information Security Policy
Version: 2.1 | 16.12.2024