1. Purpose
The purpose of the Information Security Policy of Basiq is to maintain an information security management system designed to meet all applicable requirements of the ISO/IEC 27001:2013 standard in pursuit of its primary objectives, the purpose and the context of the organisation.
2. Scope
This Policy applies to all employees of Basiq. It also applies to Basiq’s interested parties (stakeholders) as contractors, consultants, temporaries, third parties, further appointed in this document as Basiq cooperators.
This Policy applies to all information assets owned or leased by Basiq.
3. Information Security Policy
Information regardless of the form in which it is (written, spoken, printed, and electronic) is a primary asset for the business, that has its value and therefore it is necessary to adequately protect it. Information together with other information assets (components such as – people, facilities, equipment) makes up the information system of Basiq.
In order to protect all Basic’s information assets from various threats (computer fraud, espionage, hacker attacks, viruses, floods, fires, earthquakes, etc.) and to ensure business continuity, minimize damage, maximum return on investment, legal compliance and improve the image, the CEO of Basiq has approved this policy which sets goals and fundamental principles for establishing effective information system security.
The CEO is directly responsible to provide clear and concrete support in the implementation of the information security policy and monitor its application in daily operations by delegating responsibilities and establishing an appropriate organizational structure.
To achieve the goals, CEO appointed a person responsible for information security, Information Security Manager. His role and duties are governed by a special act, Information Security Manager Responsibilities.
The Information security manager is the owner of the Information Security Policy.
To meet the security goals, it is necessary to take measures and implement security controls to protect and ensure the three basic principles for information system security:
• Confidentiality - protecting information from unauthorized disclosure and access,
• Integrity - ensuring accuracy and completeness of information and information assets, and
• Availability - ensuring only authorized users will access to information and information systems whenever they need.
By protecting and securing the application of the principles of information security,
Basiq will:
• Ensure compliance with relevant legal, regulatory and contractual requirements, as well as with the strategic business plans and goals of Basiq and requirements of the standard ISO/IEC 27001:2013;
• Provide leadership effort on inclusion of all employees, on all levels, in achieving the ISMS goals of the Basiq, which generally lead to a high level of information security;
• Educate all users of information system on security awareness of threats to business, how to protect information and also how to care for the information system and to uphold its objectives and principles in everyday work.
• Develop awareness and culture of employees about their role and responsibilities and a clear organization and division of responsibilities in terms of information security;
• Provide maintenance and improvement of the system of safety of employees, clients, information and property;
• Implement appropriate screening for every new employment, in order to minimize risk for any breach of this policy.
• Maintain inventory of all equipment and other assets and regularly update each change in order to prevent unauthorized dealing, theft, appropriation, misuse or removal of funds from Basiq.
• Will analyze the risks associated with information assets of Basiq whenever necessary and implement formal information security risk management processes in order to reduce the impact of threats on information assets of organization;
• Will establish a system of classification, labeling, storage and use of information in order to prevent unauthorized access, theft, misuse, destruction or alteration of their contents.
• Will not allow entry or use of unverified or illegal equipment and software in computer information systems, unauthorized access to information and information assets, loss, damage or unauthorized modification of information, interruption of business processes, theft or misuse of the information and assets of processing information.
• Will provide appropriate level of security of information and information resources in all parts of the organization by establishing security zones and limited physical access.
• Through regular monitoring and reporting of human errors, defects, damage, security incidents or unauthorized activities, will constantly learn and improve (and thus decreases) the effects of isolated and hidden threats to security of information and information assets.
• Will ensure continuity of critical business processes in case of unavailability of information systems in a reasonable and acceptable time frame, through the development, implementation and testing of up-to-date Business continuity plans.
• By regular annual internal and external audits of the ISMS, ensure compliance of the information security management system with information security policies and ISO/IEC 27001:2013 standards and perform its constant improvement.
The above stated principles represent the direction and support to establish a system for managing information system security, in accordance with the requirements of standards.
In order to support the information security policy, additional documents, policies, regulations, procedures and guidelines are created.
All employees, consultants, external consultants, temporary employees, contractors and subcontractors and third parties with which Basiq has any business cooperation, should be aware of their obligations and responsibilities, as defined in their job description or contract, and to ad in accordance with this policy.
They are responsible for preserving the confidentiality, availability and integrity of information and other information resources of Basiq at all stages of their life cycle, and responsible that their actions do not impact their safety.
Failure to comply with the Information Security Policy entails disciplinary responsibility.
This policy has been approved by the CEO of Basiq and provides a framework for further setting up the Basiq's relevant goals and basic principles for establishing an effective information security management system (ISMS).
Sydney, Australia 2020-09-1
CEO Damir Cuca