Inedo prioritizes the safeguarding of its data resources to fulfill organizational goals and meet the cybersecurity needs of its clients, ensuring the welfare of individuals and the preservation of privacy. The Information Security Policy is a testament to Inedo’s dedication to these objectives.
This Document is an extension of Inedo’s Information Security Policy, offering an overview of the internal security protocols and measures that establish the foundational security framework for the company’s Software as a Service (SaaS) Platform. The purpose of this Document is to instill confidence in stakeholders regarding the security measures in place for the SaaS offerings and the data housed within them.
Goals and Strategy
Information and technological resources are essential to carrying out Inedo’s business operations. Leadership acknowledges this significance and endorses all initiatives aimed at achieving business targets tied to safeguarding the organization’s information assets:
- Objective 1: Determine and adhere to the pertinent laws, regulations, and standards.
- Objective 2: Safeguard Inedo’s informational assets and all data entrusted to the organization during its operational processes.
- Objective 3: Guarantee the consistency and dependability of the infrastructure, technology, and Inedo’s services and products.
To accomplish these aims, Inedo has embraced a series of security strategies:
- Categorize each information asset based on its confidentiality requirements.
- Identify all sensitive information.
- Undertake a comprehensive risk evaluation across the organization.
- Spot security vulnerabilities linked to crucial business resources, procedures, and functionalities.
- Define and implement security safeguards corresponding to the recognized information protection needs.
- Regularly brief all staff members about their role in securing business information assets.
- Offer current resources for enhancing information security awareness.
- Organize formal drills and education on incident detection and handling.
- Verify the organization’s readiness to sustain all essential business operations during a significant incident.
- Formulate a structured plan for managing information security incidents.
- Track IT operations to detect irregularities and potential incidents.
- Confirm that all associates and external entities adhere to Inedo’s information protection standards for the allocated information assets.
- Conduct periodic information security reviews of the IT infrastructure.
- The security obligations and functions of employees and contractors must be outlined.
- Every employee entrusted with access to sensitive information must undergo a comprehensive background verification.
- All employees, contractors, and additional third parties who might access sensitive data must enter into a confidentiality contract.
- Reviews of the information security protocols should be conducted with all employees, contractors, and any third parties interacting with the company’s informational assets.
- Comprehensive training and updates on information security protocols should be provided to all staff members.
- When the professional relationship between an employee, consultant, or contractor and the company concludes, all Inedo assets in their possession must be returned. The individual’s computer and work-associated privileges will be withdrawn immediately upon notice.
In order to appropriately respond to evolving information and cyber security threats, Inedo shall adopt a risk-based approach for information security management.
- Each information asset must have a designated information owner.
- Every piece of information should be categorized based on confidentiality, with the information owner formally acknowledging the designated classification.
- Inedo is obliged to establish and record a standardized risk assessment procedure, aligning with acknowledged industry norms to ensure uniform outcomes.
- The organization needs to perpetually evaluate risks and consider the implementation of defensive actions. Security measures should correspond to the worth of the information assets.
- A comprehensive range of information security controls needs to be defined, serving as a foundation for evaluations and determining the needed assurance levels for IT services and enterprise applications.
- A comprehensive risk analysis for the entire business should be conducted yearly and the findings presented to the CISO and senior management for examination and yearly strategic refinements.
- Anytime confidential data is designated for alternative use or location within enterprise applications, IT amenities, or systems, an evaluation of prospective security implications is mandatory.
- System owners are tasked with guaranteeing that risk evaluations in their assigned domain are executed following the established guidelines.
- Before divulging any confidential or private data to an external service provider, collaborator, or any other third-party entity, a risk analysis must be conducted. The associated risks should not pose a significant hazard to the organization’s operational interests.
- In instances where a risk evaluation uncovers risks that are deemed intolerable, actions must be initiated to mitigate these risks to a manageable extent.
- Every information asset of Inedo is to be sorted following the Information Classification Policy. Specific management, marking, and assessment protocols need to be in place for each level of classification.
- Inedo identifies three levels of sensitivity in classifications: Confidential, Internal, and Public.
- It is the Information Owner’s duty to select a fitting data classification marker for use by all personnel engaged in the creation, gathering, modification, or dissemination of operational data.
- Documents that are deemed confidential must be explicitly marked as such.
Acceptable Use of Assets
- Within the framework of the Information Security Management Program, Inedo enforces an Acceptable Use of Assets Policy.
- The company’s security and adherence guidelines must be communicated to employees, contractors, and other third parties before they are granted access to business information assets.
- All individuals must be made aware that the utilization of the company’s assets could be observed for both performance and security assessments.
- Any malevolent activities or security incidents must be promptly reported to the immediate supervisor or the CISO by the employees.
Communications and Operations Management
- In alignment with the Information Security Management Program, Inedo has instituted a range of security protocols to align with optimal practices in information and cybersecurity during IT operational activities.
- An exhaustive risk evaluation must be undertaken prior to the development or procurement of a new informational system. The pinpointed security prerequisites should be apt and correspond with organizational, compliance, and contractual obligations.
- The installed security safeguards should be commensurate with the assessed risks, stipulations, and information categorization tier.
- Every information system initiated into operational status must adhere to the foundational security configuration standards.
- In the context of the Information Security Management Program, Inedo has implemented an Access Control Policy.
- All entries to the company’s information assets must be sanctioned. Approval is to be accorded based on necessity and should be modulated in alignment with organizational or administrative positions.
- Access to Inedo’s classified data is only to be accorded subsequent to the explicit approval from the administration, and after being sanctioned by the assigned owner of that particular set of information.
- Third-party access to Inedo’s information assets is contingent upon formal authorization being granted by the Information Owner.
System Acquisition, Development, and Maintenance
- In the context of the Information Security Management Program, Inedo adheres to a Software Development Lifecycle Policy.
- For optimal security efficiency, security features should be integral in the application development process. Every development requirement document created should encapsulate information security and regulatory compliance needs.
- Every application that is either developed or procured by the organization should undergo the information categorization procedure, which establishes the overarching security necessity.
- An assessment of risk should be conducted to identify the suitable security measures corresponding to the desired security standard.
- Prior to its integration into the production environment, all software must be rigorously tested and receive formal approval from the system Owner.
- Comprehensive documentation of all IT services and business applications must be completed before their integration into the production environment.
- Protocols for the administration and application of encryption for data protection should be established. More details can be found in the Encryption and Key Management Policy.
Information Security Incident Management
- In alignment with the Information Security Management Program, Inedo has instituted an Incident Management Policy.
- Any security breach or unauthorized utilization of the company’s information assets is to be categorized as an “incident.”
- The Incident Response Plan should encapsulate designated roles, assigned responsibilities, and communication protocols to be enacted in case of a security breach, inclusive of informing associated external stakeholders and clientele.
- The CISO should unambiguously delineate the individuals tasked with managing information security incidents.
- The prerogative to decide on law enforcement engagement, in cases pertaining to information security incidents, rests solely with the CEO.
- It is imperative for the management to devise, frequently revise, and consistently test a business continuity plan to ensure operational resiliency during a business disruption.
- Every essential IT service and business application should be backed by a contingency strategy, ensuring service revival within the predetermined time frame.
- Protocols for reinitiating service should be officially recorded, examined, trialed, and refreshed on an annual basis at a minimum.
- The assignments and accountabilities concerning contingency orchestration and informational systems revival should be reevaluated and refreshed every year.
Compliance and Privacy
- Inedo is bound to adhere to the relevant legal stipulations, managerial security benchmarks, and data privacy ordinances.
- The company should routinely execute compliance assessments concerning informational security policies, standards, protocols, and privacy stipulations.
- Inspection and evaluation activities ought to be systematically arranged and executed to curtail the risk of impeding the organization’s operational tasks and initiatives.
- Inedo refrains from acquiring any client data that isn’t essential for operational purposes.
- The company is committed to abstaining from collecting personal data through deceptive means or false statements regarding its entitlement to such data.
- Inedo avoids gathering data from third entities, including clients unless those entities are informed in advance of such collection efforts.
- Inedo’s informational systems and enterprise applications are void of concealed serial digits, covert personal ID numbers, or other secretive mechanisms that could disclose the identity or actions of clients.
- Publicly accessible areas supervised or managed by the company should not display personal identifiers/information, such as social security numbers.
- Documents or communications forwarded to clients should exclude social security numbers and other personal identifying details that are not essential for the client to view.
- Inedo employs internal customer account numbers that are devoid of external significance to guard clients against identity fraud or related security incidents; hence, these numbers are never synonymous with social security numbers or other identifiers vulnerable to unauthorized use.
- Inedo, when collecting personal or client data for operational needs, commits to outlining the collection and usage modalities of such data, informing individuals when their data is shared with third parties, presenting an “opt-out” option for third-party transfers, articulating the privacy and security protocols in place, and offering means for individuals to rectify incorrect personal data.
- The company strictly prohibits the sale, lease, or any form of transfer of client data to third parties.
- Inedo ensures that all employees are routinely briefed on the prevailing privacy declarations.
Third-Party Security Management
- Within the Information Security Management Program, Inedo has instituted a Vendor Management Policy.
- Inedo is committed to keeping a record of all external contractors and service entities engaged in storing or processing sensitive information.
- Before entrusting any IT or data management tasks to a third party, Inedo will conduct a risk analysis to ensure that the vendor’s security measures align with the stipulations of the company’s Information Security Policy.
- A confidentiality agreement must be executed before any sensitive information is divulged to an external party.