Global Information Security Policy
This Policy was last updated: Jan 14, 2019
The Global Information Security Policy addresses swedencornet’s (Core Net AB) global security requirements and controls for Information Security, IT Security, Personnel Security and Physical Security. Detailed security requirements may be found in subordinate policies, processes and standards which comprise swedencornet’s (Core Net AB) information security management system (ISMS).
This policy applies to all swedencornet’s (Core Net AB) permanent and temporary employees, including contractors, freelancers and those employed by applicable swedencornet’s (Core Net AB) suppliers as set out in their relevant contracts, in all locations and operations. It is the responsibility of each individual to remain conversant with, and implement the requirements of, this and any supporting policies.
The Global Information Security Policy presents relevant and defining information about the objectives and functions of the swedencornet’s (Core Net AB) Information Security Program and how all of swedencornet’s (Core Net AB) security elements contribute to swedencornet’s (Core Net AB) global security posture. This document provides a high level view of swedencornet’s (Core Net AB) control environment which is implemented to minimize malicious or unintended risks to the confidentiality, integrity and availability of swedencornet’s (Core Net AB) assets, including people, facilities, equipment and information in all its forms. It is equally applicable to customer assets under the control of swedencornet’s (Core Net AB). This document provides guidance to everyone with logical or physical access to swedencornet’s (Core Net AB) or customer information and facilities to assist them implementing good practice whilst carrying out their responsibilities.
Terms and definitions:
Information Security Management System (ISMS)
All of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks.
Information security policy
Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.
Personally identifiable information (PII)
Any information about an individual maintained by an organization, including
(1) any information that can be used to distinguish or trace an individual ‘s identity, such as name, social security number, date and place of birth, mother ‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Information which, when disclosed, could result in harm to the individual whose privacy has been breached. Such information includes biometric information, medical information, personally identifiable financial information and unique identifiers such as passport or Social Security numbers.
Information security event
Identified occurrence of a system, service or network state indicating a possible breach of information security; policy or failure of controls; or a previously unknown situation that may be security relevant.
Information security incident
A single – or series – of unwanted or unexpected information security events that have significant probability of compromising business operations and threatening information security.
A deliberate deception to secure unfair or unlawful gain.
An information security incident in which sensitive, protected or confidential data has (potentially) been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve, personally identifiable information (PII), trade secrets or intellectual property.
An individual or entity that utilizes or subscribes to cloud-based services or resources.
A company that provides cloud-based platform, infrastructure, application, or storage services to other organizations and/or individuals, usually for a fee, otherwise known to clients “as a service.”
Organization of Information Security:
The Chief Executive Officer (CEO) is the executive sponsor for (information) security and swedencornet’s (Core Net AB) Information Security Program. The Chief Information Security Officer (CISO) is responsible to deploy and maintain ISMS, which controls the definition and execution of the tasks to maintain the Information Security Program in a way that supports swedencornet’s (Core Net AB) business goals.
Day-to-day management of swedencornet’s (Core Net AB) Information Security Program is performed by the CISO Office. The CISO Office maintains the ISMS policies, performs security validation tests, manages security incidents, etc. The CISO Office works in close collaboration with Data Privacy Officer (DPO) Office.
The Data Privacy Officer is responsible for defining swedencornet’s (Core Net AB) stance on applicable privacy law(s) and the privacy law framework for swedencornet’s (Core Net AB). The DPO is also responsible for maintenance of privacy related policy information in the ISMS.
All swedencornet’s (Core Net AB) Employees
All swedencornet’s (Core Net AB) employees are individually accountable and responsible for information security by maintaining an awareness of and following swedencornet’s (Core Net AB) information security policies and procedures, reporting all potential and real security incidents when discovered and attending annual an updated information security training.
Applicable Laws, Regulations, and Standards:
swedencornet (Core Net AB) works in-allignment with following laws, regulations, and standards for defining security in the ISMS:
NIST SP 800-171
NIST SP 800-53
Information Security Management System:
The swedencornet’s (Core Net AB) Information Security Management System (ISMS) comprises the people, processes and technologies employed at swedencornet (Core Net AB). Global Policies are used to define the high level requirements of the ISMS, outlining the effects to be achieved to support swedencornet’s (Core Net AB) business aims. Supporting policies and standards are used to specify how the requirements of the ISMS will be met at the operational level.
Monitoring the ISMS:
The ISMS is controlled by the CISO Office. The CISO Office shall identify the controls most critical to supporting swedencornet’s (Core Net AB) business aims and decide the appropriate performance indicators for each, along with the team responsible for implementing, monitoring and reporting on control effectiveness. Effectiveness reports may be produced at regular intervals. Regular assessments may be made to consider the evolving threat environment and swedencornet’s (Core Net AB) business aims to ensure control performance is adequately supporting the organization and that risks are appropriately addressed.
Security Risks Management:
swedencornet’s (Core Net AB) information security strategy supports swedencornet’s (Core Net AB) aims by identifying, prioritizing and managing its security risks. Operational teams throughout the organization are responsible for identifying, assessing and managing their risks in accordance with swedencornet’s (Core Net AB) Risks Management Policy. Security and privacy risks are addressed through the application of appropriate security controls and associated risk treatment plans and the acceptance and management of residual risks. Oversight and governance of the risk management processes is exercised by the CEO and CISO as appropriate.
swedencornet (Core Net AB) operates in an environment where it must: comply with national and international laws, consistently demonstrating an effective ISMS. Additionally, as threats constantly change and develop, so must swedencornet’s (Core Net AB) controls whilst at the same time continuing to support business aims.
Therefore, swedencornet’s (Core Net AB) ISMS may be kept under regular review to ensure that the policies and controls in place continue to support business aims by adapting to the changing threat landscape, incorporating any statutory or regulatory requirements is considered when applying and managing controls; that consequential risks are identified and appropriately managed; and that any changes to the legal or regulatory environment are incorporated. For these reasons swedencornet’s (Core Net AB) monitors the effectiveness of its controls by: conducting tests against its infrastructure, for example penetration or vulnerability testing; by collecting information on policy compliance, such as endpoint encryption and AV status; by conducting audits across the ISMS by its internal teams; and by exercising its contingency and response plans.
The results of these governance activities may be contained in reports distributed to the appropriate teams and their management and it is the responsibility of the control owners to ensure that any weaknesses are mitigated and managed.
Access to swedencornet’s (Core Net AB) systems and information must be controlled to protect its confidentiality, integrity and availability. Accordingly, access is restricted to those with a ‘need to know’ and is reviewed periodically to ensure appropriate access is maintained. Access credentials must meet specific minimum requirements, depending on the subject system, to reduce the risk of unauthorized access.
swedencornet’s (Core Net AB) has global presence and offers services, and products to its customers. The implementation of an effective Business Continuity policy ensures preparations are made to identify risks which may affect swedencornet’s (Core Net AB) ability to operate during an incident and recover quickly in the aftermath. All swedencornet’s (Core Net AB) employees must ensure they understand the business continuity process and their place in it. Business continuity plans and processes may be regularly reviewed and tested to ensure effectiveness.
Information Classification, Handling and Retention:
Information assets created, stored and used within swedencornet’s (Core Net AB) have value, which must be identified by the asset owner or creator to allow the appropriate security controls to be applied. Additionally, information processed for customers in swedencornet’s (Core Net AB) services, and products must be classified according to its value to the customer.
All employees are required to protect information according to the data classification assigned to it. Access to all classified information is based on the Need-to-Know principle. Although people might be authorized to access information, they should only access data when strictly required.
Security Incident Management:
A risk-based approach to security focused on supporting business aims, such as that implemented by swedencornet’s (Core Net AB), results in the likelihood that a security incident will occur at some point. Therefore all swedencornet’s (Core Net AB) employees must ensure they know how to identify and report a security incident and must be fully familiar with their involvement in the incident management process. swedencornet’s (Core Net AB) security incident management processes must be in place and tested.
swedencornet’s (Core Net AB) security incident management process follows a four stage approach focused on: Preparation; Detection & Analysis; Containment; Eradication & Recovery; and Post-Incident Activity. This supports swedencornet’s (Core Net AB) business continuity policies and processes.
Information and assets at swedencornet’s (Core Net AB) facilities must be classified according to their organizational value and appropriately protected. swedencornet’s (Core Net AB) physical security policy defines guidelines for the identification, assessment and management of physical security risks and the implementation of several security zones within the facility.
swedencornet’s (Core Net AB) employees may handle a variety of Personal information for both other swedencornet’s (Core Net AB) employees and for customers. In some cases this personal information may fall into the category of sensitive information such as healthcare data, which requires increased levels of protection. In all circumstances, personal information and sensitive personal information must be processed and stored in accordance with swedencornet’s (Core Net AB) policies and any applicable local legislation.
swedencornet’s (Core Net AB) Data Privacy Officer may maintain a Privacy Legislation Framework to meet regulatory requirements for data privacy. The Privacy Legislation Framework covers relevant privacy legislation for swedencornet’s (Core Net AB) as a data controller and/or data processor.
Privacy Impact Assessment:
The implementation of swedencornet’s (Core Net AB) Privacy Legislation Framework, supports privacy by design. Part of privacy by design may be the execution of a Privacy Impact Assessment to ensure proper protection of personal data.
ICT Systems Management:
Information and Communication Technology (ICT) Systems includes all ICT systems used by swedencornet (Core Net AB) in swedencornet’s (Core Net AB) ICT infrastructure wheather in-house built or hosted by 3rd part service providers. swedencornet’s (Core Net AB) must meet the baseline security requirements for ICT system installation and maintenance.
swedencornet (Core Net AB) uses cryptography to protect physical and logical assets. Cryptographic solutions must be employed correctly for them to be effective and cryptographic keys must be managed to ensure their availability.
swedencornet’s (Core Net AB) supply chain constitutes a risk due to the reliance on a third party implementing appropriate controls to protect services and information. swedencornet’s (Core Net AB) vendor on-boarding process must include an information security assessment which varies in detail depending on the goods or services to be provided, or the level of physical or logical access provided to the vendor. Additionally, appropriate ‘Right to audit’ clauses must be contained in all vendor contracts which allow swedencornet’s (Core Net AB) to carry out periodic assessments of the effectiveness of a vendor’s controls. Vendor contracts may also include a set of minimum expected security requirements for protecting swedencornet’s (Core Net AB) assets and information and an obligation for the vendor to inform swedencornet’s (Core Net AB) if they suffer a successful cyber-attack.
Secure Software Development:
Application source code and algorithms developed by swedencornet’s (Core Net AB) are considered Intellectual property. Such information is accessible on a Need-to-Know basis and requires specific security controls. Such controls are documented by teams holding such information.
Training & Awareness:
Information security training is provided to all swedencornet’s (Core Net AB) employees, contractors and vendors, through a variety of media. The CISO is responsible for the content of the ‘in house’ training delivered within swedencornet’s (Core Net AB) and approves any externally provided training for specific roles.
This Policy may be updated from time to time as swedencornet’s (Core Net AB) services change and expand. We suggest that relevant stakeholders may review this Policy periodically. If we amend the Policy, the new Policy will apply.