Information security policy (ISP)
Information security statement
Consortix ltd. (hereinafter Consortix) is one of Europe's leading AML consultants, using market-leading products and technologies that comply with international standards and recommendations, and with the help of its highly qualified staff, provides solutions for financial service providers against business intelligence, including money laundering, terrorist financing and other abuses. It manages information security planning tasks in a complex manner.
Consortix has a fundamental interest in the security of information systems and the data and information:
- integrity and
of the confidentiality and integrity of the information and data contained in the Consortix, the efficient and economical use of IT resources, information management and full compliance with the relevant legal requirements.
Given that the above criteria for the safeguarding of electronic information are different from the classical tasks of asset protection, Consortix has developed and implemented an information security management system for the protection of its information assets and IT resources, related to the security of the IT system used to carry out its activities. This system of regulatory documents, prepared in accordance with internationally recognized practices in information governance, is collectively referred to in this document as the Information Security Governance System, or IBIR for short.
Consortix has developed and maintains its Information Security Information Governance Framework (IBIR) in order to achieve the high standards of operation it aims to achieve, taking into account industry best practice and the requirements of relevant legislation, in particular ISO/IEC 27001:2014, the European General Data Protection Regulation (GDPR).
By applying the IBIR, all Consortix employees are able to meet the information security expectations of Consortix, enabling Consortix to provide a high level of service to its customers and to meet the trust of its customers in Consortix through its exemplary data management practices.
IBIR enables Consortix to manage information securely and economically, while taking risks in a risk-conscious manner, which is the key to Consortix's success.
Consortix management is committed to providing the human and technical resources necessary to operate an information security management system.
Consortix continuously strives to ensure that its information security objectives and principles are reflected in the products and services it produces. It is committed to promoting error prevention activities, continuous improvement and development of all elements of its activities based on the life cycle model.
Scope of the information security policy
The personal scope of the Information Security Policy covers:
- all Consortix departments and employees;
- any natural or legal person or unincorporated organisation acting under contract with Consortix Ltd.
The scope of the Information Security Policy covers all information and data generated in Consortix Ltd., received from external sources, or transmitted from Consortix Ltd. regardless of the medium or form in which it is presented. The scope of the document also covers all existing and future data carriers and IT devices throughout their life cycle (from acquisition to destruction, disposal, or sale) on which Consortix data is stored, processed or which support Consortix business processes, as well as the activities related to their creation, operation, and use.
Geographical, physical scope
The territorial scope of the Information Security Policy extends to all buildings and premises where the assets within its scope are located.
Date of entry into force of the Information Security Policy: 2022.03.01. The Information Security Policy is valid until revoked.
Classification of the Information Security Policy
The Information Security Policy is a publicly classified document, and its content is available to, for example, Consortix partners and customers, in addition to those covered by the Policy.
The specific security procedures and solutions used in the implementation of the Information Security Management System are a Consortix trade secret.
An official hard copy of the Policy and the official electronic version are kept by the Information Security Manager.
Consortix management, recognizing and assessing the risks inherent in the electronic processing of information, is committed to protecting information in a way that will enhance its competitiveness and image in the future and give it a market advantage.
In order to achieve these objectives, the Information
- responsibilities for information security,
- procedures for the secure management of information,
- the protection of information resources,
- rules for the management of information security incidents,
- the form and manner of accountability.
Information is an asset of value to the company and should therefore be adequately protected. This is particularly true for companies providing services to financial service providers, where a large part of the information managed in the system is customer financial transaction data.
In order to establish and maintain adequate security of information and the information system throughout the organization, a comprehensive information security framework should be established, which should include a security policy with general security guidelines and objectives, security policies, documented security procedures detailing security requirements and procedures, and implemented and monitored security control mechanisms. The first step in the process is the identification and communication by management of the security objectives and directions to be implemented.
The purpose of this Information Security Policy is to provide management's direction of information security, the requirements of the overall framework and support for information security. It is formulated to reduce the information security risks of Consortix to an acceptable level.
Provision of recollection of resources
The Consortix management is committed to the operation and continuous improvement of the information security management system and will ensure that the necessary technological and human resources are fully available at all times. It will ensure that the necessary responsibilities and authorities are established within the organisation to ensure the smooth functioning of the information security management system, take the strategic decisions necessary for the continuous improvement of the information security management system, implement the necessary changes in the policies and monitor and control the functioning of the system at management level.
Management of representatives
For the design, supervision, management and control of the information security management system, the Consortix management appoints an Information Security Manager, who has full authority to determine whether the company's information security management system is operating in compliance with the regulatory environment, whether the information security management system complies with the requirements of the current version of ISO 27001 and the applicable legal requirements, and whether the controls applied are in accordance with the current version of ISO 27002 and the applicable national and international recommendations.
The Information Security Manager has full authority in information security matters, has the right and the duty to evaluate changes, developments and investments affecting the information processing system from an information security point of view, assists the Consortix management in making decisions affecting information security by developing proposals and preparatory materials for decisions, enforces the measures taken, continuously measures and evaluates their effectiveness in order to meet the objectives set by the Consortix management.
The Chief Information Security Officer reports directly to the Consortix Management and is a member of the Consortix Management with consultative rights on information security issues.
Management of due diligence
Consortix shall conduct regular internal reviews under the supervision of the Executive Director to ensure the proper and effective functioning and continuous improvement of the IBIR system implemented. Internal audits may be ordered by the Managing Director of Consortix as follows:
- regular internal audits in accordance with the audit plan;
- in the event of the introduction of a new service, IT investment or a significant change to IBIR;
- as a pre-audit before supplier or certification audits.
External audits of IBIR will be carried out at intervals determined by the certification body under the supervision of the Consortix Managing Director.
Information Security Manager Forum
In order to ensure that initiatives and solutions concerning information security and the IBIR system are in line with the security direction and vision of the Consortix management, the Consortix operates an Information Security Manager Forum, which meets regularly. The members of the Forum are the CEO, the Chief Information Security Officer, the Chief Technology Officer and their invitees. The Forum will use reports and comments from departments that affect the Consortix information assets and the IBIR system to make its decisions. The Forum typically carries out the following tasks:
- Review and approve the documents that constitute the administrative protection of the IBIR system.
- Define responsibilities for information security.
- Identifies and sets the direction for improvement.
- Review and monitor security incidents.
- Allocates resources to perform tasks.
The Information Security Management Forum is the highest decision-making body of IBIR.
Structure of the information security management system
The IBIR is part of the Consortix administrative security system and is intrinsically linked to the Information Security Strategy.
The Information Security Management System consists of the following documents, which are closely interlinked:
- Information Security Policy,
- Information Security Regulations,
- IT Strategy,
- Declaration of Suitability for use,
- Inventory of data assets,
- Data map,
- Asset inventory information,
- Process descriptions broken down by area,
- Information security risk management methodology,
- Risk analysis,
- IT User Policy,
- Business continuity framework,
- Business Continuity and Disaster Recovery Plan,
- Development policy,
- Cryptography rules,
- Employer's privacy notice,
- Website and CV retention information,
- Annual training plan,
- Data processing agreement,
- CISO Service Annex,
- Operational Service Annex.
It is the responsibility of the Executive Director of Consortix to create, promulgate and ensure the ongoing maintenance of the elements of the IBIR set out in this Policy.
Information Security Strategy
The Consortix management sets out in this restricted document the strategic steps to be taken in the long-term development of information security. The strategy will be developed based on preliminary risk assessments and will be defined by the Information Security Management Forum.
Information Security Policy
The Information Security Policy (hereafter the ISP) is a restricted document that defines the rights and responsibilities of the staff operating the Consortix information processing system, the Information Security Manager and the Data Administrators, detailing the procedures they must follow when communicating. The purpose of the policy is to ensure the secure operation of IT resources, the operation and operational control of preventive, detective and corrective security measures within a well-defined framework, irrespective of the technology.
The document regulates in detail the communication with users, without specifying the obligations of users.
Data Asset Inventory
An integral part of the Information Security Policy is a data asset inventory, which for each information asset defines:
- the owner of the asset,
- the asset's storage arrangements,
- the value of the asset.
The inventory of information assets shall also include:
- the information technology assets (technology), including hardware and software components, involved in the realization of the Consortix business objectives,
- the environmental infrastructure.
The responsibilities and competences for the up-to-date inventory of data assets shall be laid down in the ISP.
Information security risk management methodology
To strive for security, you need to take conscious risks. The establishment of a risk analysis methodology is essential to ensure that Consortix management has a comprehensive view of the security risks of the information assets and can make decisions on security development in a prudent manner. To achieve this, Consortix applies a qualitative risk analysis methodology in the design and development of IBIR. The Consortix risk analysis methodology aims to:
- distinguish between low and acceptable risks,
- determine the risk levels of information and IT systems, and then
- develop protection measures based on the risk level.
The relationship between the frequency of occurrence and risk level scales set out in the Risk Analysis Methodology and the damage values, estimated frequency of occurrence of vulnerabilities and risk levels set out in the Asset Inventory is defined by the risk matrix set out in the methodology.
IT User Policy
The purpose of the IT User Policy is to define a set of requirements for Consortix employees, in order to establish the security and ethical standards that Consortix considers to be correct and in the best interest of the company.
The document regulates in detail the obligations of users when using IT tools, defining the boundary conditions under which the user establishes a relationship with the information processing system operators, the Information Security Manager or the Data Administrator. The policy details the activities that the user may and may not perform, specifies the form and method of accountability, and sets out the obligations relating to the reporting of security incidents.
This policy forms the basis for user training, which users are required to attend and sign to acknowledge that they understand and accept the contents of the policy.
Business continuity and disaster recovery plan
The Business Continuity and Disaster Recovery Plan shall ensure the continuous and orderly operation of the defined critical business processes and the IT services that serve them, even in the event of a disaster. The Business Continuity and Disaster Recovery Plan, approved and issued by Consortix management, sets out the preparedness phase, outage management phase and recovery phase of the business continuity and disaster recovery plan.
Safety awareness, ethics, education
The Consortix management wishes to draw the attention of all persons covered by this document to the fact that safety-conscious, responsible behavior is essential for the successful operation of IBIR. Considering that any security system is only as strong as its weakest link, the Consortix management expects everyone to conduct their daily activities in compliance with the rules and regulations, and not to allow anyone to make the Consortix vulnerable to attack or to act as an attacker.
The Consortix management stresses that although ethical issues in relation to IT are not yet fully understood and have not become an integral part of our lives, it expects everyone to act in accordance with the spirit of the IBIR rules, beyond the rules set out in the IBIR, and to take into account that an act not prohibited by the IBIR does not mean that it is ethical.
In order to ensure that the IBIR is understood and enforced by all, Consortix organizes annual information security training sessions, which are compulsory for all users covered by the policy, except for those who are exempted! The aim of the training is to:
- to provide everyone with a basic knowledge of information security,
- to be informed of changes in IBIR,
- to make everyone aware of the need to protect information by evaluating security incidents that have occurred in the meantime.