Information Security Policy for our Customers

1. Introduction

1.1 Purpose

This Information Security Policy is put into effect by the management team and documents the basic requirements for information security at ITpoint Systems AG. It is the basis of all further instructions and activities in information security management and demonstrates the importance of confidentiality, availability and integrity of information in the custody of ITpoint Systems AG

ITpoint Systems AG is aware of the fact that absolute security is not achievable in a flexible IT in-frastructure. This policy therefore defines a level of security to be pursued, taking into account factors such as functionality, cost, efficiency and legal regulations. In particular, ITpoint Systems AG is committed to the security of customer values.

1.2 Scope

This document and the regulations contained therein, as well as the documents derived therefrom, are binding and must be brought to the attention of all internal and external employees of ITpoint Systems AG. The scope covers all technical services, data, systems, components and customer services under the responsibility of ITpoint Systems AG.

The security regulations of agreements with customers, partners and suppliers are aligned with the Information Security Policy.

1.3 Violations

Violations are actions that have caused or could cause damage, either actual damage or potential damage. Damage is understood to mean financial losses, damage to good reputation and legal violations with criminal consequences. This also applies to the use of company and customer in-formation for illegal or non-service purposes.

Intentional or grossly negligent violations of this Information Security Policy and regulations derived from it may have disciplinary or labour law consequences – in serious cases also criminal or civil law consequences.

1.4 Approval and modification

The Information Security Policy is adopted and enacted by the ITpoint Systems AG management team. It is checked and, if necessary, modified at least once a year. Changes are proposed by the Chief Security Officer at the Management Review meeting, discussed and approved by the management team. Exceptions are proposed by the Chief Security Officer or the Change Advisory Board and approved by the CEO or executive board.

ITpoint Systems AG commits to comply with the following requirements: 

  • Requirements by Law (Swiss DSG Data Protection Act, EU GDPR General Data Protection Regulation)
  • Requirements defined in customer and supplier contracts
  • Internal, overarching requirements from the business strategy
  • Security Guidelines for the Expert Groups from the ISO27001 Framework
  • Internal subordinate requirements from additional documents

2. Security goals

Information is an important factor to the success of ITpoint Systems AG and its customers. In addition to availability, the confidentiality of information is of the utmost importance. Every person must therefore be aware of the need to information security and act accordingly. This is not only required by law, but also part of our obligations towards customers and regulators. ITpoint Systems AG wants customers, employees, partners and suppliers to understand that ITpoint Systems AG is a secure and trustworthy service provider.

The following security objectives have been adopted by ITpoint management:

  • Protection of assets and in particular information focusing on:
    • Confidentiality
    • Integrity
    • Availability
  • The agreements with customers regarding quality and safety are permanently adhered to for all products and services offered by ITpoint. The level of safety of our products and services is market oriented.
  • All employees assume their own responsibility regarding security concerns. Employees are able to do so by awareness of the appropriate measures.
  • ITpoint contractors (customers, partners, service companies, external consultants, suppliers, etc.) comply with the relevant security requirements. At least one mutual Non Disclosure Agreement (NDA) will be signed.
  • Legal regulations are complied with.

3. Implementation

In order to In order to achieve the objectives, the following framework conditions must be observed and ensured.

3.1 Security awareness

The requirements for safety objectives and measures are brought to the attention of the organization at regular intervals, at least once a year. In particular all new internal or external employees are familiarized with the security regulations and that their personal responsibility is pointed out. ITpoint Systems AG offers its employees IT security trainings in order to promote awareness and pass on security experience from day-to-day business. In addition, a regular security newsletter has been established, which is made available via the company internal communication platform.

3.2 Risk Management

Risk assessments are carried out periodically as part of the risk management process. Risk management is an essential part of the information security management system and is based on the ISO27005 standard. All relevant ISO27005 threats are assessed for damage and frequency. In addition, the ENISA threat landscape is periodically reviewed and reassessed.

The risk analysis is used to determine the risk in detail based on compliance with the defined ITpoint safety standards, as well as possible additional measures taken in the event of increased protection requirements.

The defined measures in the Information Security Management System (ISMS) cover the standard threats and vulnerabilities as part of basic security.

The risk acceptance criteria are defined by the management and reviewed annually. If risks are too high, measures to reduce them are defined (risk mitigation). The measures are transferred to the ITpoint Systems AG Continual Service Improvement (CSI) register and mitigated accordingly.

3.3 Safety precautions

ITpoint Systems AG takes technical and organizational security measures to protect and maintain all systems and data critical to our business and relevant to our business activities.

4. Security organization

4.1 Management

The management team of ITpoint Systems AG has the overall responsibility for security, makes decisions in this area and adopts the security policy. A management review takes place periodically, but at least once a year. The Security Manager and the Process Manager produce a consolidated ISO20000/27001 management report, which is signed by senior management.

The report shall include at least the following aspects related to ISO27001:

  • General state of the security management system
  • Audits performed
  • Development of security status
  • Definition and achievement of safety objectives
  • Risk situation and status of special risks

Decided measures are documented in the protocol.

4.2 CISO

The CISO (Chief Information Security Officer) is defined as a staff position of the management team. The CISO forms the interface between the Security & Compliance Team and the management board.

4.3 Information Security & Compliance Manager

The Information Security & Compliance Manager is responsible for ensuring the protection of information values and is responsible for the implementation and coordination of security measures.

4.4 Information owner

Information owners have the responsibility to:

  • Classify information and systems according to the business relevance
  • Adhered to security objectives

4.5 Information user

Each business entity is committed to the security of its information in terms of confidentiality, in-tegrity and availability and responsible to ensure adequate protection of the information according to its value and risk to the relevant business or technical environment.

Service contracts as well as contracts with external employees, refer to the obligations of infor-mation users regarding information security.

4.6 Partners, Suppliers, Visitors

A Non Disclosure Agreement (NDA) will be signed with partners or suppliers when information is being exchanged. The ITpoint NDA applies to both parties, ITpoint and to the cooperation defined in the NDA.

4.7 Crisis unit and emergency management

The crisis unit is responsible for managing and handling of major incidents that potentially esca-late into a crisis. The Business Continuity Manager is responsible for the development and contin-uous improvement of emergency procedures.

ITpoint Information Security Policy
Version: 2.0 | 19.03.2024