With the policy principles, three objectives are achieved:
- Providing clarity to stakeholders on how Peercode deals with information security.
- Providing guidelines for the planning function to define and plan suitable measures.
- Clarifying for internal and external auditors the important that Peercode places on the various attention areas of information security (required for the declaration of applicability).
In these policy principles, the management team indicates how they want information security to be given shape that fits with Peercode. In the further implementation of this policy, the following principles must be applied:
- Information security is a significant business risk for Peercode. The management therefore formulates the policy, assesses the risks, adopts the measures and periodically has the functioning of the policy and the compliance with these measures assessed internally and externally assure that the information security management (ISM) system continues to work adequately and is improved where needed.
- Peercode complies with the applicable legislation concerning information security.
- Peercode strives to continuously improve its services for clients.
- The best practices of the NEN-ISO/IEC 27001 standard and the privacy guidelines of the Dutch Data Protection Authority [College Bescherming Persoonsgegevens, CBP] form, in so far as the contribute to Peercode’s information security, the starting point for the measures to be defined. This is a business-economic consideration.
- Peercode considers computer crime to be an unwanted social problem and simply sees it as their task to take suitable measures to limit damage as a result of criminal activities as much as possible. This, too, is a business-economic consideration.
- Trust is a major asset for Peercode and they apply the reciprocity principle towards employees, clients, suppliers and other stakeholders. Peercode assumes that they will honour commitments regarding integrity, confidentiality and continuity of the provision of information.
- Only measures for which enforcement is very possible qualify for implementation.
- The HRM policy focuses in part on improving the integrity, confidentiality and continuity of the provision of information. An evaluation of this takes place during performance evaluation meetings.
- The physical and logistical security of the buildings and the rooms in the building are such that the confidentiality, integrity and availability of the data and data processing guaranteed.
- Purchase, installation and maintenance of information and communication systems, as well as integration of new technologies, must be carried out with additional measures, if required, to ensure that the baseline level of protection (BLP) is complied with.
- Assignments to third parties for carrying out work will be issued with such measures that no violation of the confidentiality, integrity and continuity of the provision of information can arise.
- Authorised employees must also have secure access to the production environments relevant to them. No confidentiality data shall be stored outside the production environment. Under certain conditions, this can be deviated from.
- During the processing and use of data, measures are taken to safeguard the privacy of clients and personnel as specified in the data processing agreement.
- Access security ensures that unauthorised persons or processes do not gain access to the information systems, data files and software of Peercode.
- External data provision is done on a need-to-know basis. Internally this is not always desirable because knowledge sharing is essential for cost-effective provision of service to clients.
- Peercode and its employees take measures to prevent information from winding up in the hands of third parties.
- Data transport is protected with such security measures that the confidentiality and integrity of this information cannot be violated.
- In the production environment, authorised versions of software are worked with.
- The management and storage of data shall be such that no information can be lost.
- There is a process to resolve incidents adequately and to derive lessons learned from this.
- Disaster plans and measures are in place to safeguard the continuity of the provision of information.
- With automated information provision, stringent separations have been established between the test/development environment, the acceptance test environment and the production environment. What is important here is that no confidential production information make its way outside the well-secured production environment.
- Separation of functions has been put in place between the development, management and user organisation. Furthermore, separation of function is utilised where possible and desirable.
- Open source software is only used if it complies with open standards and is supplied by suppliers or sources considered reliable.
- When outsourcing data processing, the management can decide to temporarily deviate from these policy principles and temporarily accept the risks of this decision.
- The aforementioned policy principles apply for that data processing for which Peercode is legally and/or contractually responsible.
- Changes to software packages of third parties are advised against, unless this is desirable from a safety perspective. Standard packages for which security updates are installed automatically are preferable.