Information Security Policy for our customers

1. introduction

1.1 Purpose

This Information Security Policy is enforced by the management and documents the fundamental requirements for information security at ITpoint Systems AG. It forms the basis for all further instructions and activities in information security management and demonstrates the high value placed on the confidentiality, availability and integrity of information in the care of ITpoint Systems AG.

ITpoint Systems AG is aware of the fact that absolute security cannot be achieved in a flexibly used IT infrastructure. This policy therefore defines a level of security to be aimed for, taking into account factors such as functionality, costs, efficiency and legal requirements. ITpoint Systems AG is particularly committed to the security of customer assets.

1.2 Scope of validity

This document and the regulations contained therein as well as documents derived from it are binding for all internal and external employees of ITpoint Systems AG and must be brought to their attention. The scope of application extends to all services, data, systems, components and services under the responsibility of ITpoint Systems AG.

The security regulations of agreements with customers, partners and suppliers are aligned with this Information Security Policy.

1.3 Violations

Violations are defined as actions that have caused or could cause actual or potential damage. Damage includes financial losses, damage to reputation and legal violations with penalties. This also refers to the use of company and customer information for illegal or non-official purposes.

Intentional or grossly negligent violations of this Information Security Policy and the regulations derived from it may have disciplinary or labor law consequences - in serious cases also criminal or civil law consequences.

1.4 Approval and amendment

The Information Security Policy is approved and implemented by the management of ITpoint Systems AG. It is reviewed regularly, but at least once a year, and updated if necessary.

Changes are proposed by the Chief Information Security Officer at the management review, discussed and approved by the Executive Board.

Exceptions are proposed by the Chief Information Security Officer or the Change Advisory Board and approved by the CEO or the Executive Board.

1.5 Legal, contractual and internal requirements

ITpoint Systems AG undertakes to comply with all legal and contractual requirements.

2. security objectives

Information is crucial to the success of ITpoint Systems AG and its customers. In addition to availability, the confidentiality of information is also of the utmost importance. Every employee must therefore be aware of the need for information security and act accordingly. This is not only required by law, but is also part of our obligations to customers and supervisory authorities. ITpoint Systems AG wants customers, employees, partners and suppliers to understand that ITpoint Systems AG is a secure and trustworthy service provider.

The following security objectives have been adopted by the ITpoint Systems AG management:

  • Protection of assets and especially of information according to the criteria:
    • Confidentiality / Confidentiality
    • Integrity / Integrity
    • Availability / Availability
  • All products and services offered by ITpoint Systems AG Systems comply with the agreements with customers regarding quality and security at all times. The security level of our products and services is in line with the market.
  • All employees assume their own responsibility with regard to safety matters. Employees are enabled to do so through appropriate measures.
  • Contractual partners of ITpoint Systems AG (customers, partners, service providers, external consultants, suppliers, etc.) comply with the relevant security requirements. At least one mutual non-disclosure agreement (NDA) is signed.
  • Legal regulations are complied with.

3. implementation

In order to achieve the objectives, the following framework conditions must be observed and ensured.

3.1 Security awareness

The guidelines on safety objectives and measures are communicated at regular intervals, at least once a year. In particular, it is ensured that new internal or external employees are familiarized with the security regulations and made aware of their personal responsibility. ITpoint Systems AG offers its employees IT security training to promote awareness and pass on knowledge from day-to-day business. In addition, a regular security newsletter has been established, which is made available via the company's internal communication platform.

3.2 Risk management

Risk assessments are carried out periodically as part of the risk management process. The risk management system is an integral part of the information security management system and is based on the ISO27005 standard. All relevant threats are assessed for the extent and frequency of damage in accordance with ISO27005. In addition, the ENISA threats are periodically reviewed and reassessed.

The risk analysis serves to determine the risk in detail based on conformity with the defined ITpoint Systems AG security standards, as well as possible additional
measures that are taken in the event of increased protection requirements.

The measures defined in the Information Security Management System (ISMS) cover the standard threats and vulnerabilities as part of basic security.

The risk acceptance criteria are defined by the Executive Board and reviewed annually. If the risks are too high, mitigation measures are defined.

3.3 Safety measures

ITpoint Systems AG takes technical and organizational security measures to protect and maintain all systems and data that are critical to the company and relevant to our business activities.

4. safety organization

4.1 Management

The management of ITpoint Systems AG bears overall responsibility for security, makes decisions in this area and approves the security policy. A management review takes place periodically, but at least once a year. The Security Manager and the Process Manager prepare a consolidated ISO20000/27001 management report, which is signed by the management.

The report contains at least the following aspects in relation to ISO27001:

  • General condition of the safety management system
  • Audits carried out
  • Development of the security status
  • Definition and achievement of safety targets
  • Risk situation and status of special risks

Decided measures are documented in the minutes.

4.2 CISO

The CISO is defined as a staff position for the management. He forms the interface between the Security & Compliance team and the management.

4.3 Information Security & Compliance Manager

The Security & Compliance Manager is tasked with ensuring the protection of information assets and is responsible for the implementation and coordination of security measures.

4.4 Information owner

The information owners ensure in their area of responsibility that

  • the information and systems are classified according to business relevance
  • the safety targets are met

4.5 Information users

Each business unit of ITpoint Systems AG is responsible for the security of its information in terms of confidentiality, integrity and availability and for the appropriate protection of the information according to its value and risk for the business or technical environment concerned.

In the service contracts, reference is made to the obligations of the information users at the users, as well as in contracts with external employees.

4.6 Partners, suppliers, visitors

If information is exchanged with partners or suppliers, a Non-Disclosure Agreement (NDA) is signed. The ITpoint Systems AG NDA applies mutually and for the cooperation defined in the NDA.

4.7 Crisis team and emergency management

A separate process is initiated for crisis management and regularly reviewed by means of
crisis team exercises.

The crisis team has the task of managing the handling of business-critical incidents (such as a major incident) that escalate into crises.

ITpoint Information Security Policy
Version: 2.1 | 16.12.2024