Information Security Policy
We strive towards continual improvement in everything we do, and information security is no exception. To this end, we have formulated a policy that serves as a framework for our objectives and risk management. We test and improve this policy regularly via the PDCA cycle.
The Executive Board of Excellate Group has opted to set up the management of information security in accordance with ISO 27001/ISO 27002 and in line with the relevant legislation and regulations.
Every employee understands the importance of information security and safeguards this within their own work, using the Golden Rules as their starting point. Knowledge and expertise are essential for sustainable information security and must be protected. All employees are trained in information security awareness and the use of procedures.
Information security policy
Provision of information plays a crucial role in all Excellate Group business processes. Excellate Group therefore wants to handle information responsibly, which means that the quality of information provision must be controlled. An organization-wide approach to information security plays a key role in this respect. When information security is not set up properly, the organization runs unnecessary risks which can lead to major financial damage, legal consequences and a negative impact on the company’s reputation.
The required quality level for provision of information is achieved through an appropriate system of measures guaranteeing the availability, integrity and confidentiality of information. People, processes and technology are the pillars of these measures. Measures are taken in the information security process following a risk analysis. The appropriate measures are chosen based on actual risks facing Excellate Group.
Excellate Group strives towards full compliance with the requirements (as set forth in the stakeholder analysis), with the most important being:
- 0% data loss with regard to our customers’ digital assets
- No data breaches, in particular due to failure of our logical access security measures or caused by actions of our employees.
- Aiming for 100% availability (uptime) of our platform.
Strategic policy topics
Our policy is determined at management / strategic level.
Mobile device policy
Company devices are issued (laptops) in line with the policy as described in the IT Handbook (asset management). Smartphones have a BYOD policy for which currently no technical measures are enforced (local storage of confidential data is minimal).
Telecommuting is allowed provided secure connections are used.
Access protection policy
Access security through multi-factor authentication (if possible) on the basis of best effort and according to the ‘need to know’ principle for information classified as confidential and higher.
Policy on the use of cryptographic controls
Transport, message and data encryption based on systems/data classified as confidential or higher.
Clear desk and clear screen policy
The clear screen & clear desk policy applies to confidential and secret information, for both physical and digital workspaces.
Back-up of information
Back-ups are carried out redundantly on the basis of classification and storage within or beyond the physical location with appropriate retention and a corresponding testing schedule.
Restrictions on installing software
An admin can install approved software. See also our change management process in this respect. We do not use a whitelist. Approval is given by the Security Officer for non-admins.
Information transportation policy and procedures
Transport encryption, message encryption and/or data encryption if required by system/data classification.
Secure development policy
Rules for the development of software and systems are divided into OTAP. We use protected development environments for this. Production data (copies) may be used in testing.
4.4 Golden Rules
The following Golden Rules apply at the Excellate Group:
- Take a ‘clear screen & clean desk’ approach.
- Use strong passwords.
- Only have data that you really need (‘need to know’ principle).
- Separate access to data based on classification.
- Only save/transfer data using approved systems and through approved company networks (with appropriate security measures).
- Always save data in a location that will be backed up. In other words, always store data on Google Drive, not on local devices, unless it’s essential for work.
- Only use permitted devices.
- Do not connect to public networks; use a secure private hotspot.
- Always log in to company networks with your own account; do not use shared accounts/passwords.
- Apply secure development and secure architecture principles in software management and development.
- Apply the security principles to suppliers and freelancers too.
- Report suspicious situations to the Security Officer. By continuing to report incidents, we can monitor dangerous/undesirable situations.