Date of version: 2015-10-05
1. Purpose, scope and users
The aim of this top-level Policy is to define the purpose, direction, principles and basic rules for information security management. This policy is part of Elastx entire Information Security Management System (ISMS).
This document is the public version of Elastx Information Security Policy and can be shared with external parties.
2. Basic information security Terminology
Confidentiality – characteristic of the information by which it is available only to authorized persons or systems.
Integrity – characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.
Availability – characteristic of the information by which it can be accessed by authorized persons when it is needed.
Information security – preservation of confidentiality, integrity and availability of information.
Information Security Management System – part of overall management processes that takes care of planning, implementing, maintaining, reviewing, and improving the information security.
3. Managing the information security
3.1 Objectives and measurement
General objectives for the information security management system are the following: creating a better market image and reducing the damage caused by potential incidents. Elastx is committed to continuously improvement of their Information Security Management System and strive for better security policies. Goals are in line with the organization's business objectives, strategy and business plans. COO is responsible for reviewing these general ISMS objectives and setting new ones.
Objectives for individual security controls or groups of controls are proposed by cloud:Ops Engineers (which have the appropriate authorization), and approved by COO or CTO in the Statement of Applicability.
All the objectives must be reviewed at least once a year.
Elastx will measure the fulfillment of the objectives by:
- Quarterly Risk analyses and Risk treatment reports.
- In case of platform incidents, provide all affected customers with an Incident report containing; incident events, reason (known and possible), actions taken (short and long term).
- In case of identified security vulnerability/weaknesses this is handled via Corrective Action Policy.
COO is responsible for setting the method for measuring the achievement of the objectives and COO will analyze and evaluate the measurement results and report them to top management as input materials for the Management review.
3.2 Information security requirements
This Policy and the entire ISMS must be compliant with legal and regulatory requirements relevant to the organization in the field of information security, as well as with contractual obligations.
A detailed list of all contractual, legal requirements and interested parties is provided in the List of Legal, Regulatory and Contractual Obligations.
3.3 Information security controls
The process of selecting the controls (safeguards) is defined in the Risk Assessment and Risk Treatment Methodology (INTERNAL USE).
The selected controls and their implementation status are listed in the Statement of Applicability (INTERNAL USE).
3.4 Business continuity
Business continuity management is prescribed in Elastx Business Continuity Management Policy (BCMS).
4. Support for ISMS implementation
Top management declares that ISMS implementation and continual improvement will be supported with adequate resources in order to achieve all objectives set in this Policy, as well as satisfy all identified requirements.