This security policy applies to the Company and applies to all employees, partners, and contractors. It expresses the Company's will and is the basis for all safety work within the organization and includes:
Information security also includes the protection of personal data.
Sufficient security and continuity are key to achieving business objectives and managing risks.
Security aims to create security for both customers and employees and to protect the company's assets in the form of employees, property, information, and brand.
Business continuity management aims to ensure that critical or important functions can be carried out at an acceptable level even if they are subject to serious disruptions and disasters.
Under this policy, there are internal regulations in the form of adopted guidelines and instructions that regulate in more detail security and continuity controls and requirements within the Company.
Information security and confidentiality are a prerequisite for achieving the Company's corporate culture and values.
Effective security work supports our business by identifying threats, vulnerabilities, and risks regarding our information assets, designing and implementing security measures that make the business safer by reducing risks and ensuring that we can conduct business at an acceptable level, regardless of what disruptions occur.
Security and continuity are an integrated part of our business to promote a responsible security culture. The security culture within the Company shall:
Everyone within the Company has an obligation to inform the security organization, risk, and control functions of any security and continuity-related issues relevant to their respective duties.
All employees within the Company should feel secure and safe at work. Therefore, we need internal governing documents regarding how to take action and what/how to report in the event of threatening or violent situations.
This also applies to incidents where employees are suspected of irregularities. To ensure that employees feel safe to report misconduct and violations without risking any form of retaliation, specific guidelines for whistleblowing shall be established.
Personnel security and safety must always be a priority.
There must be physical protective measures that help protect people, employees, offices, equipment, and operations against fire, burglary, sabotage, etc.
The Company must have a well-developed and efficient workplace protection that has a clear division of responsibilities and works systematically with fire protection issues, etc.
Fire and evacuation drills, as well as fire protection training, must be carried out regularly.
Information is one of the Company's most important assets - it concerns, for example, our customers, employees, products, and finances. Information is handled orally, in writing, and with the support of information systems with underlying ICT infrastructure.
A suitable, adequate, and effective information security management system provides assurance to the organization's management and other interested parties that their information and other associated assets are kept reasonably secure and protected against threats and harm, enabling the Company to achieve its stated business objectives.
Information security shall be conducted in a systematic and risk-based manner and will be carried out within the framework of the Company's information security management system.
Information security shall be governed by:
The risks and consequences of processing and protecting personnel data must be assessed based on how sensitive the data is and according to the risks that the processing entails.
In addition, the Company must impose needs-based traceability requirements, if necessary, to check afterwards how information has been processed and by whom.
All security measures, in the form of technical or organizational controls, shall aim to ensure that the above requirements are met to achieve the security goals of the organization.
All employees must regularly undergo training in information security.
Critical or important functions within the Company must be able to be conducted at an acceptable level even if exposed to serious disruptions and disasters.
Risks related to the ability to carry out critical activities at an acceptable level, even during disruptions or disasters, must be considered in crisis management plans, business continuity plans, and disaster recovery plans.
Compliance with the security policy and underlying internal guidelines shall be monitored, assessed, and audited regularly.
The Board of Directors and the CEO shall regularly receive reports on the overall status of security and continuity of operations.
In addition, the CEO and/or the Board of Directors must be immediately informed of serious deficiencies regarding security and continuity management.