Information security policy

DOCUMENT VERSION CONTROL

Title: Information Security Policy

Author: Maria Clara Pereira

Revision Status: Approved

Issue date: 17/02/2025

REVISION HISTORY

VERSION

DATE

DESCRIPTION

v0.1

14/02/2025

Maria Clara Pereira

Creation

v0.2

17/02/2025

Pedro Ribeiro

Review

v0.3

17/02/2025

Rui Machado

Approve

1. INTRODUCTION

“At the highest level, the organization should define an “information security policy” which is approved by top management, and which sets out the organization’s approach to managing its information security” (Source: Control A5.1 of ISO/IEC 27002:2022)

2. OBJECTIVE

This Information Security Policy outlines the framework for managing Information Security within Findmore, and sets forth the guidelines for managing information security at the highest level and is designed to:

Provide a comprehensive framework for establishing a robust security posture
Ensure the protection of sensitive information
Maintain the trust of clients, partners, and stakeholders
Promote a culture of security awareness across all areas of Findmore
Ensure compliance with relevant laws, regulations, and industry standards.

3. SCOPE

This policy must be followed and implemented across all departments and is applicable to all employees, contractors, and third-party entities with access to Findmore’s ICT systems, networks, and data.

4. APPLICABLE TERMS AND DEFINITIONS

Asset anything that has value to the organization.
Control, measure that is modifying risk and include any process, policy, device, practice, or other actions which modify risk.
Information Management Security System (ISMS), consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets.
Information security risks, effect of uncertainty on information security objectives
Policy intentions and direction of an organization, as formally expressed by its top management.
Process, a set of interrelated or interacting activities which transforms inputs into outputs.
Review, activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives.
Requirement, need or expectation that is stated, generally implied or obligatory.
Threat is a potential cause of an unwanted incident, which can result in harm to a system or organization.
Vulnerability, a weakness of an asset or control that can be exploited by one or more threats.

5. ROLES AND RESPONSIBILITIES

Findmore Management is the owner of this Information Security Policy, responsible for assigning the ISMS Roles and Responsibilities and approve ISMS documentation.
Process Owner is responsible for the maintenance and review of the documented information related with his/hers process.
Heads of Unit and Directors are responsible for ensuring that employees, contractors and third-party entities under their direction are made aware of and comply with this Information Security Policy, are remaining applicable ISMS requirements.
Auditors responsible for review the adequacy of the controls that are implemented to protect the Findmore information and recommend improvements where deficiencies are found.

Employees, contractors and third-party entities accessing Findmore systems and information are required to adhere and comply with this Information Security Policy and remaining applicable ISMS requirements.

6. POLICY STATEMENTS

6.1 Statement of Management intent

Findmore Management is committed to ensuring that information, data and systems are protected by implementation of an Information Security Management System (ISMS) and effective security measures that uphold the following principles:

Confidentiality: information is not made available or disclosed to unauthorized individuals, entities, or processes.
Integrity: safeguarding the accuracy and completeness of information and systems.
Availability: information and systems accessible and usable by authorized entities.

This includes ensuring that security is embedded in all aspects of the Findmore operations, from strategic decision-making to day-to-day activities.

Additionally, Findmore Management is committed to maintain transparency and accountability in all aspects of Information Security Management Systems and foster a secure and trusted environment for stakeholders.

6.2 Employees, contractors, and third-party entities engagement

Findmore recognizes that human behaviour is a critical component of information security and therefore, as appropriate, will:
• Ensure the communication of security policies to employees, contractors, and third-party entities, as relevant, to promote awareness and adherence to internal information security standards.
• Integrate security responsibilities into job-descriptions and the terms and conditions of employment.
• Provide regular awareness, training and resources to employees to help them understand their roles in maintaining security and preventing data breaches.

6.3 Risk Management

Findmore is committed to integrating risk management across all departments and activities at every level of the organization.
Strategic, organizational, financial, infrastructure, technical, operational and compliance potential risks are systematically identified, assessed, and mitigated in accordance with Risk Management Policy and underlying Process.

6.4 Information Security Controls

Information security controls shall be implemented, and categorized as follows:

People Controls: that pertain to individuals and their actions.
Physical Controls: related to physical assets and environments.
Technological Controls: focused on technology and digital infrastructure.
Organizational Controls: that address broader organizational processes and structures.

6.5 Compliance with relevant legal, regulatory, and contractual information security requirements

Findmore is committed to satisfy applicable requirements related to information security, including, but not limited to:

National and international applicable laws, including General Data Protection Regulation (GDPR).
Clients’ requirements.
ISO/IEC 27001 applicable standard.

And regularly assess practices to ensure that industry standards are meet

6.6 Information Security Incident Management

All employees, contractors, and third-party entities are:

Expected to report any incidents or suspicious activities immediately, allowing a swift response and ensuring the ongoing protection of information and systems.
Required to cooperate fully during investigation processes.
Document any findings for further analysis and improvement of security measures.

A reporting channel has been established as follows: helpdesk@findmore.pt.

6.7 Documental Framework

Information security is achieved through the implementation of an applicable set of controls, selected through the chosen risk management process and managed using Findmore’s ISMS.
The security controls are delivered through policies, processes and procedures, and supported by infrastructure, awareness/training sessions, as follows:

6.8 Continual Improvement

Findmore is committed to continual improvement of the information security management system (ISMS), through regular reviews and audit, and to ensure its continuing suitability, adequacy and effectiveness.

6.9 Exemptions and exceptions

Exemptions and exceptions to Information Security Policy must be:

Done with care,
Considered on a case-by-case basis,
Formally requested, and
Formally approved by Findmore Management.

The process for granting exemptions/exceptions will adhere to the following guidelines:

Request for Exception: Any department, team, or individual seeking an exception must submit a formal request, providing detailed reasons for the exception, and specify the policy, procedure, or control for which the exception is being sought.
Risk Assessment: A thorough risk assessment will be conducted to evaluate the potential impact of the exception on the security posture of Findmore. The assessment will consider the likelihood and impact of risks, as well as mitigation strategies to address them.
Approval Process: Exceptions will only be approved by Findmore’s Management.
Review and Monitoring: Approved exceptions will be reviewed periodically to ensure they remain justified and that any associated risks are being appropriately managed. Ongoing monitoring will be conducted to verify that compensating controls are effective.
Expiration of Exceptions: Exceptions will have an expiration date, after which the exception must be reassessed. If the exception is still necessary, a new request will need to be submitted, and the process will be repeated.
Communication of Exceptions: Any granted exception will be communicated to relevant stakeholders and departments to ensure that everyone is aware of the exception and its associated risks.
Documentation: Exceptions will be documented, including the duration of the exception, the justification for it, and any required compensating controls or mitigations.

7. POLICY REVIEW

This policy will be reviewed annually, or whenever there are significant changes in technology, regulatory requirements, or business operations that may require updates to the access management policy.

8. ENFORCEMENT

GENERAL INQUIRIES

info@findmore.eu

CAREERS

careers@findmore.eu

Av. D. João II, Lote 42,

Escritório 602,

1990-095 Lisbon

Lambroekstraat 5A
1831 Diegem

Belgium

Trinity House,
Charleston Road, Ranelagh,Dublin 6,
D06C8X4, Ireland

FOLLOW US ON SOCIAL MEDIA

Rua Júlio Dinis Nº247

4º Piso Fração E1,

4050-324 Oporto

R. Eng. Daniel Nunes,

Ed. Villatrium Lt B2, Frc DJ

3500-733 Viseu

Rua Ponta da Cruz 34,

3ºandar, Fração CC

9000-103 Funchal