Information Security Policy
Information is an extremely important asset of XOPERO SOFTWARE and we are responsible for ensuring that this information is kept safe and used appropriately. Without due diligence, information can be exposed, which is a big enough problem in itself, and there are additional issues to consider in terms of protection against increasingly proactive and sophisticated theft attempts.
Therefore, the "XOPERO Information Security Policy” has been defined, which ensures that data stored and processed by XOPERO is treated in accordance with the highest standards to ensure its security.
The following objectives have been defined:
- Ensure the compliance with laws, regulations and contractual obligation in regards to information security,
- Ensure the protections of customers and employees data, protection of XOPERO SOFTWARE assets against theft, disclosure, misuse, and others forms of harm and loss,
- Develop and assess the XOPERO’s SOFTWARE information assets and in accordance with results implement the appropriate controls,
- Ensure that XOPERO SOFTWARE is able to continue its services in case of major incident and other threats,
- Ensure that external providers meet XOPERO’s SOFTWARE information security requirements,
- Raise the information security awareness for XOPERO’s SOFTWARE employees.
Protecting Computing and Information Assets
What is the information security
Information security it is protecting information, software, and equipment from incidents relating to disclosure, modification, interruption and disposal. With the information itself, requirements for privacy, confidentiality, integrity and availability must also be addressed.
Protection computing and information assets
The primary target of the XOPERO’s SOFTWARE information security program is to protect the confidentiality, integrity and availability of information.
- Confidentiality: information not meant to be published in public must only be made available for authorized persons.
- Integrity: error-free processing of information and the protection of it against unauthorized modification has to be warranted.
- Availability: information has to be provided within an agreed time.
Physical Security
Physical information security is the physical, rather than electronic, protection of information and access to that information. A lot of information security is focused on protecting information from a systems, network or software perspective, but we must not forget to physically protect information as well. All too often, information is easily compromised by unauthorized personnel taking advantage of weak physical security.
Access Control
Access control are put in place to protect information by managing who has the rights to use different information resources and by guarding against unauthorized use. The basic principle is that access to all systems, networks, services, offices, rooms, and information is forbidden unless expressly permitted to individual users or groups of users.
This document describes:
- Account Management
- Registration
- Account privileges
- De-registration
- Access monitoring and review
- Remote access account
- Third party access account
- Network access account
Clear Desk and Clear Screen
All employees and partners are to respect a basic rule: Do not leave any materials containing sensitive data on the desks or within eyesight unattended.
All users of workstations, PCs / laptops and other terminals are to ensure that their screens are clear / blank when not being used.
Security Measure for Information Devices
The purpose is to stipulate the compliance rules for installing and controlling information devices (PCs, external storage media, cameras, etc.), portable information devices (smart phones, tablets, mobile phones, etc.) and software used for business purposes so that the company’s information assets can safely be used.
Security Measure for Information Systems
The purpose is to clarify the security measures for installation procedures and operations of information systems/servers, which are connected to XOPERO SOFTWARE network so that the company’s information assets can be safely protected and used.
Security Measure for Network Operations
The purpose is to maintain and improve safety and reliability of XOPERO SOFTWARE network by clarifying the operation management when building and expanding the network.
External Service Use
The purpose is to stipulate information security measures to be observed in order to prevent the company’s information assets from information leakage, etc. when using external services, such as the information systems provided by a third party. XOPERO SOFTWARE requires the security of its information to be maintained and meets its statutory, regulatory and contractual requirements.
This document describes:
- Policy of use
- Risk assessment and contract
- Managing suppliers and third party access risk
- Contractual agreement
- Investigation of outsourcing companies
- Outsourcing management
- Access to XOPERO information assets and systems
- Physical Access by External Parties to Secure Areas
- Access to XOPERO SOFTWARE network by External Parties
- Third Party Support and Maintenance
- After Termination of Outsourcing Agreement
Information Security Incident Management
The purpose is to stipulate the measures to minimize damages and smoothly go back to normal when an information security incident occurs and each department immediately and appropriately takes actions in cooperation.
Business Continuity
This document describes the arrangements for identifying the business resilience and continuity requirements for information systems and information security processes, and will form an integral part of the wider organizational Business Continuity Management process covering all aspects of XOPERO’s SOFTWARE business.
Personal Information Handling
The purpose is to clarify items to be observed when personal information is appropriately collected, maintained or destroyed and to observe the Personal Information Protection Act.
Personal information means information about a living individual which can identify the specific individual by name, date of birth or other descriptions contained in such information (including the information that can easily be checked with other information and thereby identify the specific individual) or information which includes individual identification codes.
