1 Inepro Group Information Security Policy
Inepro has a wide range of applications that work seamlessly together with its hardware products and enhance their overall effectiveness. They together make up the complete solutions offered by Inepro to education, care, government and corporate organisations. Intuitive and clear controls are paramount to the development of the applications. The user-friendly interfaces ensure an efficient and pleasant work experience. All applications can be fully configured to completely meet your specific requirements.
The software is divided into two categories: back-end applications such as management and accounting software, and front-end applications such as point-of-sale solutions, cloud printing and embedded software for MFPs.
In addition to the software, Inepro Group also develops and delivers services for implementation, training, coaching, maintenance, support and hosting.
However, some customers and prospects now require Inepro Group to acquire an ISO 27001 certificate. Inepro Group considers obtaining the ISO 27001 certificate a measure to cover the short-term operational risks because if we don’t get the certificate, we may lose major customers or orders.
2 Responsibility, purpose and audience
Considering the possible impact of disruptions on the business operations and continuity of Inepro Group and its customers, the Board of the Inepro Group has the overall responsibility for the information security policy.
The Information Security Policy Document (hereinafter referred to as the IS Policy) aims to manage the risks related to the confidentiality, integrity and continuity of the information supply within the Inepro Group and can be defined as follows:
‘Offering a framework of policy principles for the confidentiality, integrity and availability of the information supply for which a balanced (effective and efficient) system of interrelated measures has been developed to protect the structure against internal and external threats.’
All stakeholders must ensure that the policy principles set out in this IS Policy are met in the implementation of the organisation, procedures, methods and the used information systems.
This policy applies to all information created, received, transmitted or stored as part of the services the Inepro Group provides to its customers and the related contractual obligations and supporting processes. The policy and its implementation apply to all employees of the Inepro Group. Deviations must be reported to ensure the management system can keep being improved. The policy also applies to the contractors who help Inepro Group provide services to its customers.
The ethical code is an integral part of this policy and must be observed by all employees, contractors and trainees. The Inepro Group strives to select security measures based on logical principles that are cost-effective and sustainable as much as possible. These principles are:
- You do not need to secure data that are not in your possession or that are not confidential.
- Do not drag data around (i.e. do not copy them).
- Separating data
All employees must put these principles into practice.
3.1 Ownership and scope of the policy
Inepro Group is responsible for the provision of its services with sufficient security options to enable its customers to meet the applicable IS standards and other laws and regulations. The hosting and management of the software also meet these requirements. However, this does not release the client from the ultimate responsibility for the security of its information supply.
Each information system, including the associated data, must have one explicit owner. Ownership implies the ultimate responsibility for the system, including determining the risks associated with the system, classifying the system and the associated data, and the (outsourced) development of adequate means of security and internal control measures. In addition to the application, this also includes the correct use of the infrastructure components (workstations, servers and the internal and external network), the correct processing, the adequate management, the proper performance of staff, agreements with third parties, and the physical security and facilities used to prevent or handle incidents and calamities. The figure below includes all listed components of an information system.
We call this the ultimate responsibility because a number of aspects of the information system are outsourced to other holders, for example, the Inepro Group. No maximum level of security is pursued, but rather the best possible level to ensure Inepro Group can outsource its services at acceptable costs.
3.2 Developing this policy
Risk analyses are carried out based on this policy and a set of measures and controls will be defined as an internal standard which will serve as the minimum level for the services provided to customers. A higher level of security can be agreed on with a customer in consultation.
3.3 Assessment of effectiveness and compliance with the policy
The Board will internally assess the effectiveness of and compliance with the policy and make any adjustments that are necessary.
An internal audit will take place each year. This internal audit includes a reassessment of the risks, new contracts and laws and regulations. The report also includes a plan with suggestions for improvement. The Board will assess the report, accept or reject proposals and allocate a budget to achieve them. This has been captured in the diagram below.
A competent and skilled external party will annually audit the effectiveness of the IS management system. This report will be available to (potential) customers.
4 Policy principles/IS objectives
The Board uses these policy principles/objectives to indicate how it wants to implement the information security in a manner which is appropriate for the Inepro Group. The following principles/IS objectives must be used when implementing this policy:
1. Information security is an important operational risk for the Inepro Group. This is why the Board adopts the policy, assesses the risks, determines the measures, and periodically arranges the internal and external assessment of these measures to ensure that the IS management system continues to operate adequately and is improved where necessary.
2. Inepro Group complies with relevant legislation and the contractual agreements with its customers and business partners for its information security.
3. Inepro Group strives to continuously improve the services it provides to its customers.
4. The objectives and control measures of the NEN-ISO/IEC 27001 standard and the privacy guidelines of the AP, insofar they contribute to the information security of the Inepro Group, serve as the foundation for the measures that need to be defined. This is mainly an economic consideration.
5. Inepro Group considers cybercrime an undesirable social problem and believes that it is its duty to take suitable measures to limit the damage caused by criminal activities as much as possible.
6. Inepro Group considers trust an important asset and observes the principle of reciprocity towards its employees, suppliers and other stakeholders. Inepro Group expects these parties to fulfil their agreements when it comes to the integrity, confidentiality and continuity of the information supply.
7. The HR policy also aims to improve the integrity, confidentiality and continuity of the information supply among employees. This will be addressed in an annual review.
8. The physical and logistical security of the buildings and premises will be such that the confidentiality, integrity and availability of the data and their processing are secured.
9. The purchase, installation and maintenance of the information and communication systems and the deployment of new technologies must be carried out with additional measures if necessary to ensure that they do not adversely affect the information security.
10. Contracts awarded to third parties for the performance of work will include sufficient measures to ensure that no breach of confidentiality, integrity and continuity of the information supply is possible.
11. Measures will be taken for the processing and use of data to secure the privacy of customers, employees and other data subjects.
12. Access security ensures that unauthorised persons or processes cannot gain access to the information systems, data files and software of Inepro Group.
13. External provision of data will take place based on the ‘need to know’. This is not always the most desirable approach internally because the exchange of knowledge is essential to the cost-effective provision of services to customers.
14. Inepro Group and its employees will take measures to ensure confidential information does not end up in the hands of third parties.
15. Client input with confidential data will be archived or destroyed soon after the processing.
16. Data transport will take place with sufficient security measures to ensure no breach of the confidentiality and integrity of the data is possible.
17. Authorised staff must also have secure remote access to the production environments that are relevant to them. No confidential data are stored outside of the production environment. Deviations are possible subject to specific conditions.
18. Production environments are separated from other environments and allow specific access rights and access monitoring.
19. The management and storage of data in production environments will take place in a manner which ensures that no data can be lost, except in cases of force majeure.
20. The development, management and user organisations include clear distinctions between positions. Positions will also be clearly distinguished where possible and desirable.
21. The Inepro Group has a procedure to adequately handle and learn from incidents.
22. There are also emergency plans and facilities in place to ensure the continuity of the information supply.
23. When data processing is outsourced, the Board may decide to temporarily deviate from these policy principles and accept the corresponding risks.
24. The listed policy principles apply to data processing for which Inepro Group is legally and/or contractually responsible.
25. Information security is part of the design, development and management of software, even if this is done by third parties. Security and privacy by design are the main principles in this context.
26. Inepro Group and its staff are aware of the privacy-sensitivity of (special) personal data they process and always ensure the protection, correctability and transparency of these data to protect the privacy of data subjects.