01Introduction
This Information and Cyber Security Policy (the "Policy") establishes the overarching principles, rules, and responsibilities for the management of information security, cyber security, and privacy protection at Sekyr, its subsidiaries, employees, consultants, contractors, and other third parties acting on behalf of the organisation.
Sekyr shall inform all relevant stakeholders of material changes to this Policy and shall continuously work to improve stakeholder understanding and implementation of the requirements set forth herein.
02Purpose
The purpose of this Policy is to protect the information and systems of Sekyr, its customers, and its partners against breaches of confidentiality, integrity, and availability, and to ensure that Sekyr complies with applicable laws and regulations relating to information security and privacy.
Through its Information Security Management System (ISMS), Sekyr aims to maintain a high level of trust among customers, partners, and employees, and to deliver secure and reliable services at all times. The guiding principles set out in this Policy form the framework for the organisation's security work and supporting guidelines.
03Scope
This Policy applies to all employees, consultants, subcontractors, and any other parties with access to Sekyr's or its customers' information. It covers all types of data, regardless of format (including electronic, paper-based, and verbal information), and applies to all systems and services related to the organisation's operations and to its product and service deliveries.
04Guiding principles
Sekyr shall:
- safeguard the confidentiality, integrity, and availability of the information it manages or has access to;
- ensure that only authorised persons have access to information, and that access, changes, and creations of information are logged and traceable to individual users;
- comply with laws and regulations relating to information security, and protect personal data in accordance with applicable privacy legislation (including the GDPR);
- handle confidential and sensitive information in accordance with internal routines to prevent unauthorised disclosure at all times;
- conduct its security work and implement controls in line with the requirements of ISO/IEC 27001, so as to meet the relevant information security expectations of customers, partners, and other stakeholders;
- identify, manage, and reduce risks related to information security;
- detect and manage security incidents, and report them to relevant stakeholders as appropriate;
- work for continuous improvement of information security and learn from security incidents;
- maintain a strong security culture and competence across the organisation; and
- develop secure solutions by integrating information security as a core component of all projects and deliveries.
05Risk-based approach
Sekyr adopts a risk-based approach and aims to optimise risk rather than merely minimise it. As part of its security and privacy processes, Sekyr carries out risk assessments that are integrated with business operations and are performed in connection with any significant organisational change.
Risks are evaluated against the cost of mitigation and the anticipated consequences of realisation. An overall assessment is made so that decisions reflect what is optimal from both a business and a security perspective.
06Implementation
Sekyr works with information security and data protection in alignment with ISO/IEC 27001 and is preparing for certification against the standard. The security work is governed through clearly defined security objectives managed within the organisation's strategic goal-setting framework.
The personnel responsible for Sekyr's security meet on a regular basis to share updates, align priorities, and assess the effectiveness of security strategies against organisational objectives. Policies and guidelines supporting this Policy are made available to all individuals within the Sekyr organisation.
07Incident response
Sekyr maintains an Incident Response Plan that establishes the procedures to be followed in the event of security incidents and data breaches. The plan is an integral part of Sekyr's overall security framework and aligns with its compliance obligations under the GDPR and other applicable data protection and security legislation.
The Incident Response Plan defines clear responsibilities and processes for effectively mitigating and managing security incidents and data breaches, including the steps required to respond to and recover from events that may affect the confidentiality, integrity, or availability of Sekyr's data and systems.
In the event of any threat, unauthorised use, or other incident affecting Sekyr's information, information systems, privacy protections, or cyber security, the objective is to escalate the matter promptly and, where possible and appropriate from a security perspective, to maintain service delivery and operational capability.
08Roles and responsibilities
Responsibility for information security, cyber security, and data protection is shared across the organisation. Specific responsibilities are as follows:
- Executive Team
- Owns this Policy, approves material changes, and ensures that adequate resources are allocated to information security.
- Legal & Compliance
- Leads and coordinates privacy protection at Sekyr and holds overall responsibility for compliance with applicable legislation, including the GDPR. Supports the organisation on matters relating to this area.
- Security Team
- Holds primary responsibility for Sekyr's security work and leads the development, maintenance, and updating of security measures and processes.
- Incident Response Team
- Responsible for implementing the Incident Response Plan. The team comprises representatives from Engineering, Legal & Compliance, Executive Team, and relevant business units, and coordinates and executes incident response activities promptly and efficiently.
- All managers
- Responsible for ensuring compliance with this Policy and with the specific processes and standards established to deliver on information security and data protection.
- All employees and other covered parties
- Responsible for acting in accordance with this Policy and its supporting routines, and for reporting suspected incidents without undue delay.
09Continuous improvement and security objectives
Sekyr is committed to the continuous improvement of its security work by monitoring the effectiveness of security measures, learning from experience, and adapting to changes in the threat landscape. Security measures shall be updated regularly to maintain an appropriate level of protection for information and systems.
Progress is measured against clearly defined security objectives set within the organisation's strategic goal-setting framework and reviewed by management on a recurring basis.
10Review
This Policy shall be reviewed at least annually and updated as needed to reflect changes in the regulatory environment, the threat landscape, or the organisation's operations.