Information Security Policy

Demystify has controls to protect the confidentiality, reliability, and availability of information that is owned by or entrusted to them including all business and personal information.

The intent of this document is to provide assurances to customers, potential customers, and any other interested parties that information in our companies custody is properly protected – and that the protections in place are consistent with appropriate compliance requirements.

Overview

Demystify provides software, consulting, and online services. The Board of Directors and management of Demystify is committed to preserving the confidentiality, reliability and availability of all the physical and electronic information assets throughout their organization to maintain legal, regulatory and contractual compliance and to safeguard business integrity and commercial reputation and to continually raise awareness of infosecurity considerations in all levels of employees and enrich the resiliency of the company’s information systems. 

To achieve this, Demystify have implemented a Group-wide Information Security Management System (ISMS) in accordance with the international standard ISO/IEC 27001:2013 requirements. The ISMS is subject to continuous systematic review and improvement. In accordance with the ISMS, Demystify demonstrate their commitment to information security by:

Assigning dedicated personnel and allocating budget to security management. Implementing appropriate security technology and high-availability, recoverable systems and facilities.

The infosecurity policy principles will rely on a risk management system to identify, control, minimize or prevent the security risks liable to affect the information and information systems.

Continually evaluating and improving procedures related to security.

Striving to maintain compliance with all applicable legal and industry requirements.

Adopting and enforcing requisite policies and ensuring that employees are kept aware of the ISMS and their responsibilities towards it via communication and training programmes.

Demystify uses security policies and standards to support business objectives within their information systems and processes. These policies and standards are implemented, communicated, and reviewed on a regular basis and reflect the executive management teams commitment to information security.

Policies and standards are in place to govern the protection of each company’s information assets and any information assets of our customers (and others) that have been entrusted to Demystify.

Policies and standards are in place to govern the protection of each company’s information assets and any information assets of our customers (and others) that have been entrusted to Demystify.

Responsibilities

The following functions are responsible to implement this security policy:

An infosecurity steering
committee in charge of setting
company infosecurity policies
and procedures.

Chief Information Security Officer (CISO) responsible for the ongoing management of infosecurity issues in the company.

Activity Areas and Infosecurity Rules

In order to meet the management’s infosecurity responsibility and commitment, the following rules have been determined for each of the following activity areas:

Logical security is the main protective layer that is closest to the information stored in IT systems. CISO will determine the level of logical security required for the various components of these systems. An access authorization and control policy will be applied in keeping with employees’ roles and need to know basis.

Physical security will be implemented to prevent actions that could result in exposure, theft, modification or destruction of information, in line with the classification level of the information in question.

HR infosecurity principles have been determined in order to reduce the risks related to employee reliability issues, lack of employee awareness or deliberate attempts by employees to compromise the company’s information and information systems.

Secure development aspects are integrated in IT system development processes.

Purchasing and vendors. Infosecurity aspects of communication and work with third parties and contractors are implemented.

Backup. The company has defined processes to ensure the reliability, integrity and availability of information in order to make sure that the various types of information in the company have been identified, and that the backup requirements for each type of information are defined according to information sensitivity.

Access control. Rules and principles for providing access to information systems and controlling we access have been determined.

Encryption mechanisms have been integrated in company systems in order to protect sensitive information against exposure and modification.

Remote access to the company’s network by employees and third parties will be enabled and controlled according to infosecurity guidelines.

Mobile devices. The company’s infosecurity principles and guidelines are implemented in order to ensure secure use of laptops and other mobile devices and prevent damage to the integrity, reliability, availability, confidentiality and survivability of information stored on company laptops and other mobile devices.