1 Inepro Group Information Security Policy
Inepro has a wide range of applications that work seamlesslytogether with its hardware products and enhance their overall effectiveness.They together make up the complete solutions offered by Inepro to education,care, government and corporate organisations. Intuitive and clear controls areparamount to the development of the applications. The user-friendly interfacesensure an efficient and pleasant work experience. All applications can be fullyconfigured to completely meet your specific requirements.
The software is divided into two categories: back-endapplications such as management and accounting software, and front-endapplications such as point-of-sale solutions, cloud printing and embeddedsoftware for MFPs.
In addition to the software, Inepro Group alsodevelops and delivers services for implementation, training, coaching,maintenance, support and hosting.
However, some customers and prospects now requireInepro Group to acquire an ISO 27001 certificate. Inepro Group considersobtaining the ISO 27001 certificate a measure to cover the short-termoperational risks because if we don’t get the certificate, we may lose majorcustomers or orders.
2 Responsibility, purpose and audience
Considering the possible impact of disruptions on thebusiness operations and continuity of Inepro Group and its customers, the Boardof the Inepro Group has the overall responsibility for the information securitypolicy.
The Information Security Policy Document (hereinafterreferred to as the IS Policy) aims to manage the risks related to the confidentiality,integrity and continuity of the information supply within the Inepro Group andcan be defined as follows:
‘Offering a framework of policy principles for theconfidentiality, integrity and availability of the information supply for whicha balanced (effective and efficient) system of interrelated measures has beendeveloped to protect the structure against internal and external threats.’
All stakeholders must ensure that the policyprinciples set out in this IS Policy are met in the implementation of theorganisation, procedures, methods and the used information systems.
This policy applies to all information created,received, transmitted or stored as part of the services the Inepro Groupprovides to its customers and the related contractual obligations andsupporting processes. The policy and its implementation apply to all employeesof the Inepro Group. Deviations must be reported to ensure the managementsystem can keep being improved. The policy also applies to the contractors whohelp Inepro Group provide services to its customers.
The ethical code is an integral part of this policyand must be observed by all employees, contractors and trainees. The IneproGroup strives to select security measures based on logical principles that are cost-effectiveand sustainable as much as possible. These principles are:
- You do not need to secure data that are not inyour possession or that are not confidential.
- Do not drag data around (i.e. do not copythem).
- Separating data
All employees must put these principles into practice.
3.1 Ownership and scope of the policy
Inepro Group is responsible for the provision of itsservices with sufficient security options to enable its customers to meet theapplicable IS standards and other laws and regulations. The hosting andmanagement of the software also meet these requirements. However, this does notrelease the client from the ultimate responsibility for the security of itsinformation supply.
Each information system, including the associateddata, must have one explicit owner. Ownership implies the ultimateresponsibility for the system, including determining the risks associated withthe system, classifying the system and the associated data, and the(outsourced) development of adequate means of security and internal controlmeasures. In addition to the application, this also includes the correct use ofthe infrastructure components (workstations, servers and the internal andexternal network), the correct processing, the adequate management, the properperformance of staff, agreements with third parties, and the physical securityand facilities used to prevent or handle incidents and calamities.
We call this the ultimate responsibility because anumber of aspects of the information system are outsourced to other holders,for example, the Inepro Group. No maximum level of security is pursued, butrather the best possible level to ensure Inepro Group can outsource itsservices at acceptable costs.
3.2 Developing this policy
Risk analyses are carried out based on this policy anda set of measures and controls will be defined as an internal standard whichwill serve as the minimum level for the services provided to customers. Ahigher level of security can be agreed on with a customer in consultation.
3.3 Assessment of effectiveness and compliance withthe policy
The Board will internally assess the effectiveness ofand compliance with the policy and make any adjustments that are necessary.
An internal audit will take place each year. Thisinternal audit includes a reassessment of the risks, new contracts and laws andregulations. The report also includes a plan with suggestions for improvement.The Board will assess the report, accept or reject proposals and allocate abudget to achieve them.
A competent and skilled external party will annuallyaudit the effectiveness of the IS management system. This report will beavailable to (potential) customers.
4 Policy principles/IS objectives
The Board uses these policy principles/objectives toindicate how it wants to implement the information security in a manner whichis appropriate for the Inepro Group. The following principles/IS objectivesmust be used when implementing this policy:
1. Information security is an important operationalrisk for the Inepro Group. This is why the Board adopts the policy, assessesthe risks, determines the measures, and periodically arranges the internal andexternal assessment of these measures to ensure that the IS management systemcontinues to operate adequately and is improved where necessary.
2. Inepro Group complies with relevant legislation andthe contractual agreements with its customers and business partners for itsinformation security.
3. Inepro Group strives to continuously improve theservices it provides to its customers.
4. The objectives and control measures of theNEN-ISO/IEC 27001 standard and the privacy guidelines of the AP, insofar theycontribute to the information security of the Inepro Group, serve as thefoundation for the measures that need to be defined. This is mainly an economicconsideration.
5. Inepro Group considers cybercrime an undesirablesocial problem and believes that it is its duty to take suitable measures tolimit the damage caused by criminal activities as much as possible.
6. Inepro Group considers trust an important asset andobserves the principle of reciprocity towards its employees, suppliers andother stakeholders. Inepro Group expects these parties to fulfil theiragreements when it comes to the integrity, confidentiality and continuity ofthe information supply.
7. The HR policy also aims to improve the integrity,confidentiality and continuity of the information supply among employees. Thiswill be addressed in an annual review.
8. The physical and logistical security of thebuildings and premises will be such that the confidentiality, integrity andavailability of the data and their processing are secured.
9. The purchase, installation and maintenance of theinformation and communication systems and the deployment of new technologiesmust be carried out with additional measures if necessary to ensure that theydo not adversely affect the information security.
10. Contracts awarded to third parties for theperformance of work will include sufficient measures to ensure that no breachof confidentiality, integrity and continuity of the information supply ispossible.
11. Measures will be taken for the processing and useof data to secure the privacy of customers, employees and other data subjects.
12. Access security ensures that unauthorised personsor processes cannot gain access to the information systems, data files andsoftware of Inepro Group.
13. External provision of data will take place basedon the ‘need to know’. This is not always the most desirable approachinternally because the exchange of knowledge is essential to the cost-effectiveprovision of services to customers.
14. Inepro Group and its employees will take measuresto ensure confidential information does not end up in the hands of thirdparties.
15. Client input with confidential data will bearchived or destroyed soon after the processing.
16. Data transport will take place with sufficientsecurity measures to ensure no breach of the confidentiality and integrity ofthe data is possible.
17. Authorised staff must also have secure remoteaccess to the production environments that are relevant to them. Noconfidential data are stored outside of the production environment. Deviationsare possible subject to specific conditions.
18. Production environments are separated from otherenvironments and allow specific access rights and access monitoring.
19. The management and storage of data in productionenvironments will take place in a manner which ensures that no data can belost, except in cases of force majeure.
20. The development, management and user organisationsinclude clear distinctions between positions. Positions will also be clearlydistinguished where possible and desirable.
21. The Inepro Group has a procedure to adequatelyhandle and learn from incidents.
22. There are also emergency plans and facilities inplace to ensure the continuity of the information supply.
23. When data processing is outsourced, the Board maydecide to temporarily deviate from these policy principles and accept thecorresponding risks.
24. The listed policy principles apply to dataprocessing for which Inepro Group is legally and/or contractually responsible.
25. Information security is part of the design,development and management of software, even if this is done by third parties.Security and privacy by design are the main principles in this context.
26. Inepro Group andits staff are aware of the privacy-sensitivity of (special) personal data theyprocess and always ensure the protection, correctability and transparency ofthese data to protect the privacy of data subjects.