Elastisys Information Security Policy

Important

This is a public copy of an internal policy.

• Last updated: 2022-11-16
• Approved by management, owned by CISO
• Version: 1.0

Information security overview

Elastisys work with information security management in a structured and risk-oriented way according to general community best practices, the principles of the international standard ISO/IEC 27001 as well as SKL requirements regarding GDPR and data management. Elastisys are ISO-27001 certified.

Information security goals

For Elastisys’ current information security work we have set these strategic goals:

• We work actively with security so that all our customer information is protected with confidentiality, integrity, and availability.
• Elastisys security work and reputation is excellent, enabling us to win trust of most demanding customers.
• We have modern and seamless security processes that are easy to use, adopted by all employees and highly secure.

Information security process

Elastisys performs recurring risk assessments as part of the risk control procedures. The risk analysis, which is conducted annually, aims both to identify the critical information assets requiring protection as to provide a documented rationale for what is worth protecting. The risk analysis also relates the identified assets to the threats that the business may be exposed to, and the vulnerabilities that the business may be afflicted with. Finally, the risk analysis is aimed at developing a decision basis for the introduction of controls with the purpose of:

• preventing unauthorised information (confidentiality);
• ensuring that the information produced and processed is accurate, current and complete (integrity),
• maintaining the accessibility of information as it is needed (availability), and
• to ensure the origin of each operation (accountability).

For each of these security disciplines organisational, administrative and technical controls are implemented and documented in such a way as to ensure that a satisfactory level of information security protection is achieved.

The organisation's management is ultimately responsible for the information security and therefore also for the information security management at the strategic level. This responsibility includes ensuring that there are economic and personnel resources available with the right skills to be able to reach the objectives of this information security policy.

Responsibility for operating the information security management system, which includes the identification of critical information assets, conducting of risk analyses, selecting and implementing controls and measures aimed at improving the organisations information security posture, initiating security audits and regular evaluation of information security management is delegated to the Chief Information Security Officer (CISO).

All co-workers who in any way handle sensitive information in conducting their work are responsible for protecting that information and to comply with the information security regulations in place. Customer information is always classified as confidential with a very limited set of employees being granted access.

The Information Security Management processes are annually reviewed and evaluated. Discrepancies and inadequacies as well as the occurrence of incidents are systematically documented for drawing upon experience of such events, which can be considered in the work for continuous improvement. The result of the information security related activities, ongoing activities and the estimated risk levels are handled as part of the recurring management meetings.