ISMS Policy

Information Development Europe B.V. plays a role in contributing to the sound development of an advanced information society and promotes its business activities. In order to achieve these goals, we have established an "Information Security Management System Policy" abbreviated as "ISMS Policy". We establish, monitor and continually improve our safeguards for the confidentiality, integrity and availability of all physical and electronic information assets to ensure that regulatory, operational and contractual requirements are fulfilled.

Definition of the ISMS

The Scope of the Information Security Management System defines the technical and organizational boundaries to which the ISMS applies. The organization considers context if the organization, needs and expectations of interested parties and risks of these parties’ activities, products, and services. the scope is a factual and representative statement of the organization's operations included within the ISMS boundaries and its available to interested parties.

The Policy ensures and guarantees that:

• Confidentiality: Confidentiality of information shall be kept. Information shall not be disclosed to unauthorized persons on any accidental or deliberate actions. 
• Integrity: Integrity of information shall be maintained by ensuring protecting against unauthorized access. Information shall be complete and accurate. 
• Availability: Information shall be available and delivered to the right person, at the time when it is needed. Make information available to authorized business processes and employees when required. 
• Policy is supported through Business Continuity Plan, which will be defined, maintained and tested in continuous practical work. 
• All Information security violations will be reviewed, documented, and investigated. 
• Implement continual improvement initiatives, including risk assessment and risk treatment strategies. 
• Organization Comply to all applicable laws and regulations and contractual obligations related to information security.

This policy governs our day-to-day operations to ensure the security of information and is communicated and implemented throughout our organisation. Our Information Security Policy is made available as a stand-alone document and widely distributed, including during induction.

Our Information Security Policy is typically reviewed annually, as part of our information security management review program, or as required to recognise the changing needs and expectations of relevant interested parties or the risks and opportunities identified by the risk management process.

The Chief Information Security Officer (CISO) leads all the information-security efforts of the company. He has a direct line to the Managing Director and can communicate with the Managing Director whenever they need to.

Reporting service issues (failures, incidents, concerns, or other complaints related to the services or systems of Information Development Europe B.V.)

If any Information Development Europe B.V. staff believes they have discovered or noticed a service issue (as described above), please take the following steps to report:
1.  Please report the issue immediately to your manager / supervisor as soon as possible.
2.  If your manager / supervisor is not available, please approach the Chief Information Security Officer (CISO) / CEO to report the issue.

Information Security Training Program

All Information Development Europe B.V. staff are expected to complete information-security-training within 30 days of joining Information Development Europe B.V. and annually thereafter. Further, all Information Development Europe B.V.  staff are then required to acknowledge that they have the attended information-security-training and understand the Information Security Management System (ISMS) Policy. The training documents are also available on the company intranet for ready reference.

The company has crafted an Information Security Training Program based on the following pillars.

1. Incident Management
   The company's Incident Management and Response Policy outlines guidelines for reporting and responding to security incidents in an efficient manner.
2. Vulnerability Management
   The company's Vulnerability Management Policy describes our process of identifying, classifying, prioritizing, mitigating, and remediating security       vulnerabilities.
3. Data Classification
   The company's Data Classification Policy outlines a way to categorize data processed by Information Development Europe B.V., its software and systems, based on levels of sensitivity.
4. Data Backup
   The company's Data Backup Policy describes how operational and other customer data is backed up to protect against loss, or corruption.
5. Data Retention
   The company's Data Retention Policy describes the how we retain customer data, and the provisions we provide for customers to make data deletion request.
6. Encryption
   The company's Encryption Policy outlines how we can better protect private, proprietary and sensitive data by encrypting our data at rest and in transit.
7. Endpoint Security
   The company's Endpoint Security Policy describes how we protect unauthorized access to our production systems or customer's data via endpoints like laptops that are used by staff members.
8. Physical Security
   The company's Physical Security Policy describes how we protect the physical security of the systems and devices that can affect our system.
9. Acceptable Use Policy
   All Information Development Europe B.V. staff must acknowledge that they've read and will conform with the organisation's Acceptable Use Policy. Our Acceptable Use Policy covers staff duties and behavior for using Information Development Europe B.V. resources and assets, including but not limited to computers, devices, email, internal tools, and social media.

Employee Acknowledgement

All the above security policies are presented to new employees during onboarding, and all employees are required to read, review, and acknowledge them.