Information Security Policy
Principles of our Information Security Policy
- Our Information Security Management System (ISMS) comprises a framework of general and specific Information Security policies (our Information Security Policy Framework), which shall be known and applied depending on your role and/or relationship with our organization.
- Our ISMS shall include, consider and reflect both our internal information security requirements, as well as laws, regulations, and all relevant contractual obligations applicable to our different activities. We shall review these requirements regularly, at least once a year, to ensure continuous compliance.
- Also, in order to guarantee the effectiveness of our ISMS, our Information Security Policies (as well as the corresponding procedures, processes, objectives, and controls) shall be regularly reviewed, both at planned intervals and when significant changes occur, to ensure continuing suitability and adequacy. It is important to check the relevant and applicable Information Security Policies regularly, to know and apply the corresponding information security responsibilities and ensure compliance at all times.
- Reviews of our ISMS regularly, at planned intervals, and when significant changes occur, shall be conducted both internally, as well as externally by independent auditors. These revisions shall help us analyze any effectiveness deviations to improve our ISMS and keep up-to-date with current information security best practices. However, on top of these revisions, we all as an organization shall compromise to a continuous improvement of our ISMS on an everyday basis. We aim to promote a culture of awareness, adequacy, and continuous improvement in information security.
- Our management, CISO, the CISO-Office and those persons designated as Information Security Delegates shall regularly review the compliance of the information systems, policies, and procedures within their corresponding area of responsibility, to ensure that the appropriate security policies, procedures, controls and/or other Information Security requirements are in place.
- To facilitate compliance, we shall give appropriate training and education in the relevant and corresponding policies and procedures applicable to the corresponding role and/or relationship with our organization. However, training and education for third parties may be omitted if it is provided externally to the extent applicable in relation to the activities conducted for our organization. Management will decide to which extent training and/or education is applicable in each case.
- We shall take the appropriate measures to detect, prevent, and, when necessary, recover from malware and any other kind of security incident. Additionally, to increase our resilience in these matters and depending on your role and/or relationship with our organization, we shall commit to increasing your awareness through the appropriate communications and information.
- Depending on your role and/or relationship with our organization and considering the criticality of the information you may have access to, we shall require you to sign a confidentiality and/or Non-Disclosure Agreement. Confidentiality and Non-Disclosure Agreements shall identify the character of your relationship with our organization and determine what shall be regarded as Confidential Information, how it shall be protected, and the term of your obligations with regard to all these matters. All confidentiality and/or Non-Disclosure Agreements shall be reviewed regularly, at least once a year, to ensure that the above-mentioned requirements are met at all times and up to date.
All these principles have been defined and approved by our management and are herewith published and communicated for compliance by each corresponding party.
Thank you for your collaboration.
Updated June 12, 2020