Information is an asset that, like other important business assets, is essential to AskCody business and consequently needs to be suitably protected.
This is especially important in the increasingly interconnected business environment. As a result of this increasing interconnectivity, information is now exposed to a growing number and a wider variety of threats and vulnerabilities.
Information Security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures, software, and hardware. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of AskCody are met. This should be done in conjunction with business processes.
Information Security has the preservation of the:
- Confidentiality of information that the information is only available to authorized individuals, entities, or processes and only used for authorized and legitimate purposes
- Integrity of information that the information is accurate and complete
- Availability of information that the information is accessible and usable upon business demand
Other quality aspects such as authenticity, accountability, non-repudiation, traceability, and reliability can also be involved.
Why Information Security is needed
Information and the supporting business processes, systems, and networks are important business assets for AskCody.
Defining, achieving, maintaining, and improving Information Security is essential to:
- ensure the confidentiality and integrity of information and the availability of information and business processes
- protect our most valuable information assets and clients/user’s valuable information
- be trusted by customers, suppliers, partners, and co-workers
- protect the AskCody brand and the trust that our client show us by using our services
Also, it is important that regulatory and legal compliance is ensured.
AskCody is faced with security threats from a wide range of sources, including information leakage, computer-assisted fraud, or simply just acts of nature. Causes of damage such as malicious code, computer hacking, and denial of service attacks have become more common, more ambitious, and increasingly sophisticated.
The interconnection of public and private networks and the sharing of information resources increase the difficulty of achieving access control. The trend to distributed computing has also weakened the effectiveness of central, specialist control.
When Information Security within AskCody is not in control, this amongst others leads to:
- Criminal exposure (e.g. attacks, fraud etc.)
- non-compliance with legal and regulatory obligations
- Financial loss due to business interruption
- Exposure of customer and user (personal) data
Identifying which controls should be in place requires careful planning and attention to detail. Investments in Information Security should be in balance with Information Security risks. In some cases, it is better to accept the risk instead of investing in measures. However, this requires a thorough risk analysis. Therefore, Risks Analysis are carefully done, managed and maintained to ensure the right level of investment with risk and cost in balance.
The AskCody approach to Information Security
Openness, honesty, and trust are important aspects of the AskCody culture.
However, we need to have a clear point of view on how to manage information and approach situations that may be perceived as a conflict of interest.
At AskCody we take our values into account before implementing Information Security rules and measures:
- AskCody strives to make Information Security measures simple, for the many and with user-friendliness in mind
- Simplicity supports AskCody co-workers to take responsibility and behave in a risk-aware way creating a security culture together
- Cost consciousness is about protecting information at the correct level, with risk and cost in balance
It is the responsibility of all co-workers within AskCody to understand and work according to the AskCody Information Security Policy and Rules. The Rules have been developed to give advice and support for how to protect the AskCody business and the information environment.
It is very important to have this support when encountering conflict of interest issues. Especially when the information is not AskCody information, such as customer’s or business partner’s information which needs to be handled with appropriate care and to comply with legal standards.
The Rules are also necessary to run a reliable operation, to guarantee the availability of business processes and information from IT systems, and the correct processing of information.
AskCody Policy on Information Security
In this document, we have gathered and collected the most frequently asked questions about our Information Security, how we guarantee the right level of protection, reliability, availability, privacy, and confidentiality.
The rules in this document are connected to the AskCody Policy on Information Security which provides the below AskCody standpoint on Information Security:
Information is an important business asset for AskCody and needs to be suitably protected. A risk and cost-effective balance are made between the level of Information Security measures and the information’s value to AskCody, considering both internal and external demands.
The AskCody Information Security Rules
AskCody Information Security Policy and Rules contain the basic requirements for Information Security. The use of Information Systems is an important link in operational management and the realization of business goals.
Information Security and IT Control are therefore an essential part of Corporate Governance. In addition, these requirements are also demanded by External Auditors in order to rely on Information Systems for the annual financial statement of AskCody.
The AskCody Information Security Policy and Rules are applicable for all suppliers where AskCody has outsourced (parts of) its services as well.
All rules and implementation requirements must be implemented unless rules are conflicting with local laws and regulations.
The AskCody Information Security Policy and Rules are based on:
- Generally accepted standards as the Information Security standard ISO/IEC 27001/ 27002 and ISAE 3000 (ISAE 3000 is the standard for assurance over non-financial information. ISAE 3000 is issued by the International Federation of Accountants (IFAC). The standard consists of guidelines for the ethical behavior, quality management, and performance of an ISAE 3000 engagement)
- Data protection laws and GDPR.
Set up of the Rules
The Information Security in AskCody consists of headlines grouped around specific security areas:
- Organization of Information Security
- Management direction & governance of Information Security
- Asset Management
- Inventory and classification of information assets
- Human resources security
- Security aspects for employees joining, transferring and leaving AskCody
- Physical and Environmental Security
- Protection of the computer facilities
- Communications and Operations Management
- Management of technical security controls in systems and networks
- Access Control
- Restriction of access rights to networks, systems, applications, functions, and data
- Information systems acquisition, development, and maintenance
- Building security into applications
- Information Security incidents
- Anticipating and responding appropriately to Information Security Breaches
- Business continuity management
- Protecting, maintaining and recovering business-critical processes and systems
- Ensuring conformance with Information Security policies, standards, laws, and regulations
These areas are all described further in our Information Security Policy.
If a detailed walkthrough of all security areas, as well as risk analysis, is needed, please contact our appointed Security Officer & Coordinator, Rune Spliid – firstname.lastname@example.org, who is responsible for ensuring that Information Security is understood, communicated and implemented accordingly at the right level in the organization, and that Information Security rules and standards are consistently implemented for AskCody.
Information and Cloud Security FAQ
In this following articles, the frequently asked questions about our Information Security are listed, based on following headlines:
- Internal Security
- Reliability/ availability of service
- Transparency/ visibility into vendor processes
- Privacy/ confidentiality protection
- Security and risk management
- Location/ability to retrieve data/end of service support
- Certifications/ assurance
- Disaster recovery and backup
- SDLC/Application Security
- Data Collected and Calendar Syncing
- Accessing Customer Data on the Exchange Server
- R&D and release management