This Security Policy sets forth the commitment of Stiki's Board of Directors on information protection and security in all information processing. Stiki's information assets need to be protected from all risks, internal as well as external, intentional and accidental. Professionalism is the key to success, which is why this Security Policy has been established. The policy's implementation is important for assuring Stiki's staff and clients about the company's integrity and efficiency. The Board of Directors of Stiki has approved this policy and supports its implementation.
This Security Policy applies to all operations of Stiki. It covers the treatment and storage of all information in any form and medium. The policy covers all communication of staff, customers, partners and suppliers. It also covers any recording, processing, communication, distribution, storage and destruction of Stiki information.
The Security Policy applies to facilities and equipment where the information is treated or stored, as well as to staff and contracting clients with access to the information.
The objectives of Stiki's Security Policy are:
- For information to be correct and accessible to those with access authorisation when needed.
- For confidential information to be inaccessible to unauthorised persons and protected against damage, destruction and disclosure to parties without access authorisation, whether intentional or negligent.
- To maintain information secrecy and confidentiality.
- To prevent information from being divulged to unauthorised parties, whether intentionally or negligently.
- For information to be protected against theft, fire, natural disasters, etc.
- For the information to be protected against damage and destruction owing to computer viruses.
- For reliable and secure back-up copies of all main data and software systems to be available at all times.
- For information transmitted through a network to be delivered to the right recipient undamaged and at the right time, ensuring that they are not transmitted to other parties.
- To formulate strategies for business continuity as well as their maintenance and testing to the extent possible.
- For incidents, violations or suspicion of weakness in information security to be reported and investigated.
- For risk owing to the processing (treatment) and preservation of information to be kept within defined risk limits.
Ways to achieve the objective
Stiki's ways to achieve the above objectives are:
- To maintain an inventory of assets and classify them regarding to importance of confidentiality, integrity and availability.
- To analyse regularly by formal risk assessment the value of information assets, their sensitivity and potential threats posed to them.
- To manage risk within acceptable limits by operating a formal information security management system pursuant to ISO/IEC 27001:2013.
- To operate and maintain an organisation manual that includes work flows and rules regarding information handling and processing.
- For Stiki's managment and other staff to comply with the organisational manual as well as all other company instructions.
- To maintain certification under ISO/IEC 27001:27001.
- To comply with lrelevant legislation. See appendix.
- To comply with all agreements to which the company is a party and relate to information security.
- For all Stiki staff to receive training in information security and education in their responsibility for information security.
- For all operations to comply with ISO/IEC 27001:2013.
Responsibility for the Security Policy's implementation and maintenance is divided in the following manner:
- The Board of Directors of Stiki is responsible for this Security Policy and reviews it regularly.
- Stiki's Organisational Manager is responsible for this Security Policy's implementation, and applies appropriate standards and work processes to that end.
- All employees of Stiki are responisble for the work processes intended to ensure the Security Policy's implementation. Stiki's partners, contractors and suppliers are responsible for compliance with the contractual work processes intended to ensure the Security Policy's implementation.
- All Stiki staff shall conduct their work in accordance with the Security Policy. They shall report security incidents and weaknesses relating to information security. Those that deliberately threaten Stiki's information security are subject to litigation or other appropriate legal measures.
This policy is reviewed annually or more frequently if required to ensure its conformity with the objectives of Stiki's business goals.