Quality Management System – Information Security (ISMS)
ANNEX 1 – COMPANY POLICY
The COMPANY POLICY requires that, in line with the company mission, the management of all company processes is set up with the rules of the application of the Management System according to the IEC 27001: 2013 standard.
PURPOSE AND OBJECTIVES
The JOTURL management has defined, disclosed, and undertakes to keep this Information Security Management policy active at all levels of its organization.
The purpose of this policy is:
to guarantee maximum customer satisfaction in the use of our services and the protection and protection from all threats, internal or external, intentional or accidental, of the information in the context of our activities in accordance with the indications provided by the ISO/IEC standard 27001 and the guidelines contained in the ISO/IEC 27002 standard in their latest versions.
This policy applies equally to all bodies and levels of the Company.
The implementation of this policy is mandatory for all staff and must be included in the regulation of agreements with any external party who, in any capacity, may be involved with the processing of information falling within the scope of the Integrated Management System (IMS).
INFORMATION SECURITY POLICY
The information assets to be protected consist of all the information managed
through the services provided and located in all company offices.
It is necessary to ensure:
- the confidentiality of information: that is, the information must be accessible only by those authorized.
- the integrity of the information: that is, protecting the accuracy and completeness of the information and the methods for its processing.
- the availability of information: that is, authorized users can access the information and related assets when they request it.
The lack of adequate levels of security can lead to damage to the corporate image, lack of customer satisfaction, the risk of incurring penalties related to the violation of current regulations as well as damage of an economic and financial nature.
An adequate level of security is also essential for sharing information.
The company identifies all security needs through the analysis of the risks incumbent on its corporate assets which allows you to acquire appropriate awareness of the level of exposure to threats. The risk assessment makes it possible to evaluate the potential consequences and damage that may derive from the failure to apply security measures to the information system and what is the realistic probability of implementation of the identified threats.
The results of this assessment determine the actions necessary to manage the identified risks and the most suitable security measures.
Our principles of information security management encompass the following aspects:
- ALWAYS UP-TO-DATE ASSET INVENTORY – To guarantee a constantly updated catalog of corporate assets relevant to information management and a manager must be identified for each. The information must be classified according to its level of criticality, to be managed with consistent and appropriate levels of confidentiality and integrity.
- UPDATED INFORMATION RISK ASSESSMENT – The information risk assessment is updated at least once a year on the occasion of the management review or in case of adverse events or in the case of an asset inventory adjustment.
- SAFE ACCESS TO SYSTEMS – To ensure the security of information, each access to the systems must undergo an identification and authentication procedure. The access authorizations to information must be differentiated on the basis of the role and positions held by individuals, so that each user can access only the information he or she needs, and must be periodically reviewed.
- SAFE USE OF COMPANY ASSETS – Procedures must be defined for the safe use of company assets and information and their management systems.
- CONTINUOUS STAFF TRAINING – Full awareness of information security issues must be encouraged in all staff (employees and collaborators) from the moment of selection and for the entire duration of the employment relationship.
- TIMELY MANAGEMENT OF ADVERSE EVENTS – In order to be able to manage incidents promptly, everyone must report any safety-related issues. Each incident must be handled as indicated in the procedures.
- ADEQUATE PHYSICAL PROTECTION OF COMPANY OFFICES – It is necessary to prevent unauthorized access to the offices and individual company premises where information is managed and the safety of the equipment must be guaranteed.
- MANAGEMENT OF CONTRACTUAL COMPLIANCE WITH THIRD PARTIES – Compliance with the legal requirements and with the principles related to information security in contracts with third parties must be ensured.
- SIMULATIONS OF THE COMPANY CONTINUITY PLAN – A continuity plan must be prepared that allows the company to effectively deal with an unforeseen event, ensuring the restoration of critical services in times and in ways that limit the negative consequences on the corporate mission.
- IT SECURITY BY DESIGN – Security aspects must be included in all phases of design, development, operation, maintenance, assistance and decommissioning of IT systems and services.
- CONTINUOUS LEGISLATIVE UPDATE – Compliance with the provisions of the law, statutes, regulations or contractual obligations and any requirement concerning information security must be guaranteed, minimizing the risk of legal or administrative sanctions, significant losses or damage to reputation.
- PERIODIC PENETRATION TESTS – Periodic penetration tests must be carried out in infrastructures and applications to evaluate the resilience of the systems to external attacks and to identify any vulnerabilities and allow their subsequent fixing.
RESPONSIBILITY FOR COMPLIANCE AND IMPLEMENTATION
Compliance and implementation of the policies are the responsibility of:
- All staff who, in any capacity, collaborate with the company and are in any way involved with the processing of data and information that fall within the scope of the Management System.
All staff are also responsible for reporting any anomalies and violations of which they become aware.
- All external parties who have relationships and collaborate with the company. They have to ensure compliance with the requirements contained in this policy.
The Manager of the Management System who, within the Management System and through appropriate rules and procedures, must:
- conduct risk analysis with the appropriate methodologies and take all measures for risk management
- establish all the rules necessary for the safe conduct of all company activities
- verify security breaches and take the necessary countermeasures and control the company’s exposure to the main threats and risks
- organize training and promote staff awareness for everything related to information security
- periodically check the effectiveness and efficiency of the Management System
Anyone, employees, consultants and/or external collaborators of the Company, intentionally or due to negligence, disregard the established safety rules and thus causes damage to the company, may be prosecuted in the appropriate offices and in full compliance with the legal and contractual constraints.
The Management will periodically and regularly check or in conjunction with significant changes the effectiveness and efficiency of the Management System, in order to ensure adequate support for the introduction of all the necessary improvements and in order to facilitate the activation of a process continuous, with which control and adjustment of the policy is maintained in response to changes in the corporate environment, business, legal conditions.
The Manager of the Management System is responsible for reviewing the policy.
The review must verify the status of preventive and corrective actions and adherence to the policy.
It will have to take into account all changes that may affect the company’s approach to managing the quality and security of information, including organizational changes, the technical environment, the availability of resources, legal, regulatory or contractual conditions and results. of previous reviews.
The result of the review must include all decisions and actions related to improving the company’s approach to managing the quality and security of information.
Management actively supports information security in the organization through clear direction, clear commitment, explicit assignments, and acknowledgment of information security responsibilities.
The management’s commitment is implemented through a structure whose tasks are:
- ensure that all information security objectives are identified and that these meet business requirements;
- establish corporate roles and responsibilities for the development and maintenance of the ISMS;
- provide sufficient resources for the planning, implementation, organization, control, review, management and continuous improvement of the ISMS;
- check that the IMS is integrated into all company processes and that procedures and controls are developed effectively;
- approve and support all initiatives aimed at improving the quality and security of information;
- activate programs for the dissemination of awareness and culture of information quality and security.