Thinking Portfolio Information Security Policy
Introduction
This information security policy describes the objectives, guidelines, and responsibilities for the information security of Thinking Portfolio Oy. Information security refers to ensuring the confidentiality, integrity, and availability of information, regardless of its form or how it is presented.
Thinking Portfolio Oy is committed to continuously improving information security in a risk-based approach. The information security policy and the appropriateness of the information security management system are evaluated annually by the company’s board.
The information security policy and its’ realization are crucial for the long-term success of Thinking Portfolio, and it aligns strongly with our values. Its’ objective is to ensure continuity of operations in all circumstances. Our customers trust their confidential information to us for processing, and maintaining this trust is essential for us.
We identify our customers’ expectations, agreements, law-based obligations, and factors that affect the provision of secure services. Our employees and partner organizations employees are committed to complying with our information security policy and related policies and guidelines.
Scope
This policy defines the basic requirements for information security and creates the basis for planning and implementing activities in accordance with the policy. More detailed guidelines are defined to support the implementation of different areas of information security.
Responsibilities
The information security policy is approved by the company’s board, and its implementation is the responsibility of the CEO, with the support of the information security officer and the data protection officer.
Information security has its own steering group, which ensures the adequacy, implementation, and development of the management system.
All our employees and partner organizations employees are committed to promoting information security in accordance with these guidelines and promptly responding to any information security deviations.
Implementation
Risk Management
Risk management is a key approach through which we identify areas for improvement and promote information security. Risk assessment is carried out regularly and in connection with significant changes.
Continuous Improvement
Risk assessment, identification and monitoring of deviations, and the general situational awareness provide necessary input for continuous improvement.
Identification and Classification of Information
We are familiar with the content of the information we handle. Information is classified based on its information security requirements, which in turn guides its handling.
Information Security Training and Awareness
We monitor current issues related to information security and train our staff on role-based topics, current phenomena, and general information security matters.
Information Security Incidents
Our staff is obligated to report security incidents. Dealing with information security incidents ensures the generation of necessary documentation, fulfilment of reporting obligations, and facilitates development and learning.
Consistent software development practice
Application development is carried out according to a documented procedure, that is regularly reviewed and revised. Third-party audits, conducted at least annually, are our way of ensuring the reliability of the process.