Security requirements

1 Scope and purpose

The following information security requirements applies to Signicat’s processing of Customer’s data.

Signicat handles all Customer information with security in mind, and Supplier delivered services are protected to ensure confidentiality, integrity, and availability.

2 Information security governance

Signicat shall have a documented Information Security Management System (ISMS) aligned with ISO 27001:2013 (or subsequent versions), or a set of policies to that effect, and Signicat shall, prior to entering into this Agreement and subsequently upon Customer request and reasonable advance notice, provide documentation thereof to the Customer.

The ISMS is guided by best practice control sets.

Signicat has a documented risk management process, with supporting procedures and controls that are operational.

3 ISMS REQUIREMENTS

Signicat’s ISMS, or set of policies have the following requirements implemented. The information security requirements listed below also apply to sub-suppliers of Signicat.

3.1 Organisation of Information Security

Information security responsibilities are defined and allocated.

3.2 Information Asset Management

Information assets are identified, classified, and protected according to their classification.

3.3 Human Resources Security

A background check is completed for all full-time, part-time, and temporary employees.

3.4 Access Control

The principle of least privilege is applied, both in design and implementation of access controls and provisioning of user and system access rights.

Requirements for access control to a system or information are aligned with the information classification of the assets to be protected.

A formal process for user registration and de-registration is used.

A formal process for user access provisioning is used.

User-IDs of users who have left the organisation are disabled or removed.

When a user changes role or responsibilities in the organisation, assigned access rights that are no longer needed, are removed.

3.5 Operations Security

There must be written operating procedures for all systems that process, store or in some other way handle Customer’s information. The procedures ensure that information is handled and stored in compliance with information security policies, regulatory requirements, and contractual obligations.

Changes to the organisation, business process, information processing facilities, supplier relationships, internal processes and systems that affect information security are controlled.

Development, testing, and operational environments are separated, logically or physically.

Backup is taken of relevant information according to availability and integrity requirements, taking confidentiality requirements into account.

There are event logs of user activities, exceptions, faults, and information security events in systems and networks that is, or contains, Customers’ information. These logs are reviewed regularly.

All changes to operational software, applications and program libraries are performed by trained administrators.

All software is tested, approved and undergoes a risk assessment prior to installation.

All updates and changes to systems, software, application and program libraries are recorded.

3.6 Business Continuity Management

There are Business Continuity Plans (BCP) that include preventive, detective, and corrective controls to business processes so that availability requirements stated in legal, regulatory, and contractual obligations are met. The corrective controls include Disaster Recovery Plans (DRPs).

Business Continuity Plans and Disaster Recovery Plans are tested and evaluated annually to verify its effectiveness and relevance.

3.7 Incident Management

There are procedures for incident management.

All information security incidents and weaknesses are reported to parties that have an interest as quickly as possible.

The analysis and resolving of all incidents are evaluated to reduce the likelihood or impact of future incidents.

All information security incidents, and the response, are recorded.

3.8 Physical and Environmental Security

Areas that contain information and information processing facilities are defined, classified, and documented.

The premises are adequately safeguarded against unlawful intrusion. Physical access during office hours is restricted.

Physical access rights are annually reviewed, updated when necessary, and revoked when necessary.

An audit trail of access to the area or facilities is maintained and monitored.

4 Security testing

Signicat conducts relevant periodical security testing of its systems.

Signicat shall, upon Customer request and reasonable advance notice, provide documentation that such test has be conducted, with the result. The information related to other Customers or details from findings which could not, in any conceivable way, impact the security of the Customer’s information or deliverables under this Agreement in the result may be masked.

The Customer may perform security tests against Signicat’s solutions upon Signicat’s approval.