Objectives and Scope
In line with the Company's mission, the KanbanBOX policy is that the management of all Company processes must be established through the application of the Information Security Management System (ISMS), in accordance with the guidance provided by ISO/IEC 27001 and the guidelines contained in ISO/IEC 27002, to ensure the safeguarding and protection of information from all threats, internal or external, intentional or accidental, within the scope of its activities.
This Policy applies indiscriminately to all KanbanBOX entities, at all levels, and to those entrusted by them to process data.
The implementation of this policy is mandatory for all employees and is included in the regulation of agreements with all external parties who, in any capacity, may be involved in the processing of information falling within the scope of the Information Security Management System.
The Company permits the communication and dissemination of information to the outside world only for the proper conduct of the Company's business, which must be in accordance with the rules and regulations.
Information Security Policy
The information assets to be protected consist of all the information managed by the services provided and it is necessary to guarantee:
- the confidentiality of the information: i.e. the information must be accessible only to authorised persons;
- the integrity of the information: i.e. to protect the accuracy and completeness of the information and the methods used to process it;
- the availability of the information: i.e. that authorised users can actually access the information and related assets when they request them.
The lack of an adequate level of security can lead to damage to the Company's image, a lack of customer satisfaction, the risk of incurring penalties for non-compliance with applicable regulations, as well as economic and financial damage.
The Company has identified all its security needs through a risk analysis, which has enabled it to become aware of the level of exposure of its information system to threats.
The Risk Assessment provides an evaluation of the potential consequences and damage that could result from the failure to apply security measures to the information system, and the realistic likelihood of the identified threats being realised.
The results of these assessments determine the actions required to manage the identified risks and the most appropriate security measures.
Responsibilities
Compliance with and implementation of this policy is the responsibility of:
- of all personnel who, in any capacity, work with the Company and are in any way involved in the processing of data and information covered by the Management System. All personnel are also responsible for reporting any anomalies and violations of which they become aware
- all external subjects who have relations and collaborate with the Company; they must ensure compliance with the requirements contained in this document
- the Management System Manager, who, within the framework of the Management System and through appropriate rules and procedures, shall
- carry out risk analysis using appropriate methods and adopt all risk management measures
- establish all the rules necessary for the safe conduct of all Company activities
- investigate security breaches and take the necessary countermeasures and control the Company's exposure to the main threats and risks
- organise training and promote employee awareness of all information security issues
- periodically review the effectiveness and efficiency of the management system.
Anyone, whether employee, consultant and/or external collaborator of KanbanBOX, who deliberately or negligently disregards the established security rules and thereby causes damage to the organisation, may be prosecuted in the appropriate fora and in full compliance with legal and contractual constraints.
Management Commitment
Management actively supports Information Security through clear direction, clear commitment, explicit assignments and recognition of information security responsibilities.
Management's commitment is implemented through a structure whose functions are to
- ensure that all information security objectives are identified and that they meet the requirements of the organisation
- define the roles and responsibilities within the organisation for the development and maintenance of the ISMS
- provide sufficient resources for planning, implementing, organising, controlling, reviewing, managing and continuously improving the ISMS
- ensure that the ISMS is integrated into all business processes and that procedures and controls are developed effectively
- approve and support all initiatives to improve information security
- activate programmes to disseminate information security awareness and culture
- review the entire ISMS at least once a year, updating in particular the risk analysis and assessment
- implement a process leading to continuous improvement of the ISMS.
Comments
0 comments
Please sign in to leave a comment.