The Board and management of Comsenso BV, located at Toetsenbordweg 55C, 1033 MZ Amsterdam, The Netherlands, which is in the business of selling, providing, implementing, hosting and supporting Managed ICT Infrastructure-as-a-Service to its clients, are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout Comsenso, in order to preserve its competitive edge, cash-flow, profitability, legal, regulatory and contractual compliance and commercial image. Information and information security requirements will continue to be aligned with Comsenso’s goals and the ISMS is intended to be an enabling mechanism for information sharing, for electronic operations and for reducing information-related risks to acceptable levels.
The Scope of Comsenso’s Information Security Management System has been defined as follows:
- The offering of Managed Network-, Hosting & Security Services to its clients as well as the implementation-, support- and management processes required to offer these services;
- The organizational entity covered by the scope is the technical support- and implementation department of Comsenso;
- The assets in scope are the software and hardware components as they are used by its employees and as installed in Comsenso’s data centers, needed to deliver named services to its clients;
- Exclusions to the scope are:
- The processes of 3rd party vendors not covered by the contracts or SLA’s with these vendors;
- Controls for software development, since no software is being developed by Comsenso;
- Controls for e-commerce websites for its own use, since Comsenso does not operate any;
- Controls for Public access areas, loading bays, etc., since these are not in use at Comsenso.
Comsenso’s current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an Information Security Management System. The risk assessment, Statement of Applicability and risk treatment plan identify how information-related risks are controlled. The Chief Security Officer is responsible for the management and maintenance of the risk treatment plan. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.
In particular, business continuity and contingency plans, data backup procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy. Control objectives for each of these areas are contained in the ISMS Manual and are supported by specific, documented policies and procedures.
All employees of Comsenso and certain external parties identified in the ISMS are expected to comply with this policy and with the ISMS that implements this policy. All staff, and certain external parties, will receive appropriate training and/or instructions.
The ISMS is subject to continuous, systematic review and improvement.
Comsenso has established an Information Security Group, chaired by the Chief Security Officer (CISO), including the Information Security Manager and other executives/specialists/risk specialists to support the ISMS framework and to periodically review the security policy. The function names (e.g. CSO, ISM, etc.) that are used throughout the ISMS documentation to define and assign ownership, responsibilities and/or accountabilities, are to be interpreted as ‘Roles’. These roles are assigned to persons. Given the current structure of Comsenso, some of these roles have been combined and assigned to one and the same person.
Comsenso is committed to maintain certification of its ISMS to ISO27001/ISO27002:2013.
This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and at least annually.
In this policy, “information security” is defined as:
This means that management, all full time or part time staff, sub contractors, project consultants and any external parties have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches (in line with the policy and procedures identified in section 13 of the Manual) and to act in accordance with the requirements of the ISMS. The consequences of security policy violations are described in Comsenso’s disciplinary policy. All staff will receive information security awareness training and more specialized staff will receive appropriately specialized information security training.
This means that information and associated assets should be accessible to authorized users and clients when required and therefore physically secure. The computer network identified as part of the scoping work for section 1 of the Manual must be resilient and Comsenso must be able to detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems and information. There must be appropriate business continuity plans. Further to this, as a consequence of Comsenso’s strategic business plan, it has been decided by the Board of Directors that no failure or disruption of a single asset should cause an outage to any of Comsenso’s offered managed services to clients.
This involves ensuring that information is only accessible to those authorized to access it and therefore to preventing both deliberate and accidental unauthorized access to Comsenso’s information and proprietary knowledge and its systems including its network(s), website(s), extranet(s), client networks and managed services.
and The Integrity
This involves safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of either physical assets or electronic data. There must be appropriate contingency for network(s), web site(s), extranet(s), managed services, data back-up plans and security incident reporting. Comsenso must comply with all relevant data-related legislation in those jurisdictions within which it operates.
of the physical assets
The physical assets of Comsenso including but not limited to computer hardware, data cabling, telephone systems, filing systems and physical data files.
and information assets
The information assets include information printed or written on paper, transmitted by post or shown in films, or spoken in conversation, as well as information stored electronically on servers, web site(s), extranet(s), intranet(s), PCs, laptops, mobile phones and PDAs as well as on CD ROMs, floppy disks, USB sticks, backup tapes and any other digital or magnetic media, and information transmitted electronically by any means. In this context “data” also includes the sets of instructions that tell the system(s) how to manipulate information (i.e. the software: operating systems, applications, utilities, etc).
and all partners that are part of our integrated network having signed up to our security policy and having accepted our ISMS.
The ISMS is the Information Security Management System, of which this policy, the Information Security Manual (“the Manual” or “ISMS Manual”) and other supporting and related documentation is a part, and which has been designed in accordance with the specification contained in ISO27001:2013.
A SECURITY BREACH is any incident or activity that causes or may cause a break down in the availability, confidentiality or integrity of the physical or electronic information assets of Comsenso.
The Information Security Manager is the Owner of this document and is responsible for ensuring that this policy document is reviewed in line with the requirements in clause 5.1.2 in the Manual.
A current version of this document is available to members of staff on the corporate intranet and was published on August 5th 2015. It does not contain confidential information and can be released to relevant external parties.
This information security policy was approved by the Board of Directors and is issued on a version controlled basis under the signature of the CEO.