Version 1.0. Last updated 2023-02-21.
INTRODUCTION
This is the Information Security Policy for Connectel AB. Its purpose is to demonstrate how this entity works with information security.
STATEMENT
Connectel is a CPaaS (“Communication Platform as a Service”) company with information processing as a fundamental part of its purpose. Hence the importance that the organisation has clear and relevant policies and procedures to comply with our undertaking, legislation, and the customers continued trust to process and protect their data.
The purpose of this Information Security Policy is to protect all information assets, no matter if it is processed by machine or human.
INFORMATION SECURITY RESPONSIBILITIES
Connectel Information Security Group (“ISG”) is responsible for managing information security in all systems, maintaining, and establishing new systems. The ISG is responsible for alterations and annual reviews of this document, to support the entire organisation in raising awareness, performing risk analysis, keeping up to date with the best security practices, permission control or any other tasks that relates or impact the information security sphere.
The ISG consists of multiple members with different expertise areas and responsibilities. As part of this group is the appointed Data Protection Officer (“DPO”).
The members of the ISG, the DPO, are appointed by the company board and reviewed annually.
EMPLOYEE RESPONSIBILITY
Employee’s that has been given access to a resource within Connectel have the responsibility to adhere and follow the procedures, workflows and routines set out by the company. It is the employee’s responsibility to not misuse any resource in an un-intended way, share confidential information with unauthorised entities or use the system in any way that could harm Connectel or its customers.
Any violation to this document may results in disciplinary procedures and Connectel may impose sanctions on any employee not adhering to this document.
INFORMATION SECURITY CULTURE
Connectel will work for establishing, maintaining and improve an information security culture within the organisation.
ACCESS CONTROL
Access, permissions, and privileges are provisioned using a non-trust methodology according to the Access Control Policy.
ACCEPTANCE OF INFORMATION SYSTEMS AND ASSETS
The organisation acknowledges and ensure that all new information systems or assets adopted into the organisation must be reviewed and accepted by the ISG before use.
BUSINESS CONTINUITY AND DISASTER RECOVERY PLANS
Connectel shall have ready and tested business continuity and disaster recovery plans to maintain a high level of information security in case of disasters or other hazardous events.
CHANGE CONTROL
Changes to information systems, applications, or any asset shall be reviewed and approved by the ISG before entering into a production environment.
CLEAN DESK & SCREEN POLICY
Connectel employees shall adapt to a clean desk & clean screen policy which means no sensitive or confidential information shall be left unattended.
CRYPTOGRAPHY CONTROLS
Encryption controls shall be implemented according to the cryptography policy requiring encryption for confidential and secret information, at rest or in transit.
MOBILE DEVICES
A part from keeping an inventory of all devices, Connectel shall implement controls to protect information kept on mobile devices according to the Mobile Device Policy.
INCIDENT RESPONSE
Connectel shall have in place procedures to manage and respond to information security incidents. All incidents shall be reported to the ISG.
INFORMATION CLASSIFICATION
Connectel shall implement classification controls based upon the risk assessment for each asset.
INFORMATION RISK ASSESSMENT
Information security risks shall be identified, assessed and assigned an ownership in accordance with the Risk Assessment Procedure. Identified risks shall be reviewed continuously by the ISG.
NON-DISCLOSURE AGREEMENTS (“NDA”)
Employees, customers, suppliers, and consultants must enter an NDA before exchanging information.
NETWORK AND COMMUNICATION
Employees or third-party entities working for and on behalf of Connectel shall follow guidelines and instructions given to them as part of the remote worker policy. This includes, but not limited to the usage of Virtual Private Networks (“VPN”) and IP-whitelisting.
PHYSICAL SECURITY
Physical access to information systems shall be protected and monitored. Cloud providers shall be evaluated and selected based on perimeter protection.
REMOVABLE MEDIA
The use of removable media (USB, External Drives, CD-ROM etc.) is forbidden and not allowed within the organisation.
SECURITY EVENTS
All suspected breach-in attempts, security weaknesses, or information exposure shall be reported to the ISG.
SYSTEM MONITORING
Connectel shall have available an audit trail of system access and the tools necessary to monitor system health and state.
TRAINING AND AWARENESS
Connectel shall continuously train and monitor the performance of all employees on information security.
VIRUSES AND MALICIOUS SOFTWARE
Physical assets such as mobile phones, laptops etc. shall be protected from viruses and malicious software according to the relevant policies. Users of these assets shall agree not to install unknown software on the organisation’s property without permission from the ISG.
VENDORS AND CLOUD PROVIDERS
Vendors and cloud providers must pass assessment programs before they can be adopted into the Connectel eco-system. These programs analyse the entity’s compliance to legislations, information security, processing facilities, access & operational procedures, and environmental aspects.