Summary

The execution of business processes within IceHrm SaaS Ops is based on information obtained from information systems that may or may not be automated. Good progress of the business processes and the organizations survival are therefore increasingly dependent upon the reliability of the information and the information systems in which this information is processed. IceHrm SaaS Ops has an interest in an adequate level of information security, not just for its own operational management.

Customers, suppliers and supervisory authorities also make high demands of the reliability of the information provision of IceHrm SaaS. Insufficient information security at IceHrm SaaS Ops can lead to unacceptable risks when executing the processes. Incidents and violations of these processes can lead to large financial consequences and damage of reputation. Not just for IceHrm SaaS Ops itself, but also for Customers as they have entrusted IceHrm SaaS Ops with their information. The necessity to systematically address the security of the information provision is therefore extremely great.

The implementation of the Information Security Policy ensures that, within IceHrm SaaS, insight will be developed into the organizational value of the information regarding the execution of the processes, and the dependencies and vulnerabilities of the processing and the underlying information systems. The insight into these risks enables a proper consideration to be made regarding the measures necessary to limit these risks. IceHrm SaaS Ops uses the following definition of information security The total of standards, plans and measures to guarantee the availability, confidentiality and integrity of the information provision within IceHrm SaaS Services.

The general objective of IceHrm SaaS Ops' Information Security Policy is the establishment, recording and communication of objectives, key points and preconditions of IceHrm SaaS Ops with regard to the security of the information provision.

The Information Security Officer is responsible for upholding the policy, giving advice and guiding the implementation.

Management is responsible for the information security measures that are implemented within their section of the organization (divisions, departments and supporting business sections).

Line Management of these sections of the organization are primarily responsible for choosing, executing and upholding the information security measures. The Information Security Officer initiates policy-related activities, coordinates the introduction of the security measures and advises the responsible management.

All employees are responsible for the correct execution and upholding of the Information Security Policy and related standards and procedures.

Compliance with the Information Security Policy will be checked regularly by means of internal audits.

All security incidents, both real and suspected, should be reported to the Information Security Officer, so that immediate action can be undertaken to limit potential damage to IceHrm SaaS Ops, its employees and its Customers, as far as that is possible.

Introduction

IceHrm SaaS Ops uses the following definition of information security: Information security is the total of standards, plans and measures to guarantee the availability, confidentiality and integrity of the information provision within IceHrm SaaS Services.

Importance of information security

The execution of business processes within IceHrm SaaS Ops is based on information obtained from information systems that may or may not be automated. Good progress of the business processes and the organizations survival are therefore increasingly dependent upon the reliability of the information and the systems in which this information is processed. IceHrm SaaS Ops has an interest in an adequate level of information security, not just for its own operational management. Customers, suppliers and supervisory authorities also make high demands of the reliability of the information provision of IceHrm SaaS Services. Insufficient information security at IceHrm SaaS Ops can lead to unacceptable risks when executing the processes. Incidents and violations of these processes can lead to large financial consequences and damage of reputation. The necessity to systematically address the security of the information provision is therefore extremely great.

Quality aspects

Information security for the purpose of reliable information provision concerns the following quality aspects:

a. Availability The information is available when the organization needs it. b. Integrity The information is completely accurate, up-to-date and verifiable. c. Confidentiality The information is accessible only to the person with authorized access. Information security within IceHrm SaaS Ops is focused on both automated as well as non- automated information provision.

Objective

The objective of the Information Security Policy is : a. Clearly indicating what its objectives, key points and preconditions are. b. Clearly indicating who has what tasks, authority and responsibilities. The Information Security Policy constitutes the basis for clarifying to all employees and relevant external relations of IceHrm SaaS Ops what the IceHrm SaaS Services' Information Security Policy involves.

Objective, position and scope

The general objective of the Information Security Policy is: The establishment, recording and communication of objectives, key points and preconditions of IceHrm SaaS Ops with regard to the security of the information provision of IceHrms Global SaaS Services. Information security is based on three quality aspects: availability integrity confidentiality

Availability Guaranteeing the availability of the information provision comprises of measures that ensure: continuity timeliness

Integrity - Guaranteeing the integrity of the information provision comprises of measures that, with regard to data, software and information distribution, ensure: accuracy and consistency validity completeness verifiability authenticity

Confidentiality - Guaranteeing the confidentiality of the information provision comprises of measures that ensure: Exclusivity of information: programs, data and equipment are only accessible for those who have explicitly been authorized for this. Protection of privacy when storing and using information.

Key points and preconditions

Within IceHrm SaaS Services, the ISO27001 (Code of Practice for Information Security) is determined as the standard in which the guidelines to be used for information security are recorded. The demands of the information security are recorded in the Standards Framework and should be specified for each section of the organization. The intended measures should be in agreement with these demands.

Rights to data collections and information systems

For each section of the organization, it has been established who the holder is for each data collection and each personal data register and therefore who has control over this data collection. The holder determines how the management of these data takes shape: Who has access to the data (authorizations). Who is authorized to consult, alter, remove or provide data to third parties. Who will monitor the constant integrity of the data collections and information systems. Prior to the implementation, it is clear for all parties involved with each developed system who has ownership and where the system management will be performed.

Owners of information and information systems

Information systems or resources and data collections have an owner. Resources are, for example, applications, network infrastructures, data, desktops, laptops, mobile equipment, et cetera. The owner is responsible for the availability, the integrity and the confidentiality of the information, the information system or resource. This also applies to outsourcing.

Owners of information and information systems are responsible for: Determining the value and the importance of information and information systems. Classifying information and information systems. Evaluating the risks of the information provision, and identifying the necessary security measures. Guaranteeing that all security measures are implemented and that the implemented security measures are effective. Guaranteeing that personal data are treated in agreement compliance standards. Note: the owner of information and the owner of the system processing this information can be two different people.

Information security is a line responsibility

Although the Information Security Officer establishes the Information Security Policy (strategically/tactically), it is the line's task to shape this further (tactically/operationally). The Line Managers are responsible for the correct execution of their instructed business processes, the associated information provision and for its proper functioning, and thereby also for the information security. The integral management has the primary responsibility for choosing, executing and upholding the information security measures.

Information provision is everyone's responsibility

The security philosophy of IceHrm SaaS Ops expects a duty of care and alertness from each employee. It is expected that everyone will act in agreement with the specified regulations, for example with regard to the use of passwords. Management is expected to encourage this conduct.

Information security is part of operational management

Information security is for IceHrm SaaS Ops, not an objective or policy per se, but an integral part of the business objectives and the management system of the operations. Correct security contributes to the business goals and to the reliable execution of the business processes. The aim should be optimum information security, whereby the following aspects play a role: The consequences in relation to compliance requirements of the data recorded and processed by IceHrm SaaS Ops. The necessity of minimizing the security risks and the security demands based on this. The desired level of efficiency and effectiveness of the information provision. The costs and the burdens of the information provision.

Handling information provision

Reliability requirement

The basis of the information security is formed by the set of standards (what). These standards are subsequently translated, by the sections of the organization, into suitable, specific measures (how). Every section of the organization is thus obliged to explicitly make a motivated statement about the desired security level and, by itself, identify measures based on classification and risk analysis. Every section of the organization should thereby, for its separate information systems, continually consider if the general level of security is appropriate, or if additional measures are necessary.

Risk analysis

IceHrm SaaS Ops perform cyclic risk analysis, whereby the threats to, effects on and vulnerability of the information systems and data, as well as the likelihood of these threats occurring, will be judged. Based on risk analysis, security measures are determined whereby a security level acceptable to IceHrm SaaS Ops is realized. In determining the measures, the costs and benefits of these measures are considered.

Handling incidents

If IceHrm becomes aware of any unlawful access to their Services, or unauthorized access to these services, or unlawful access to any Customer Data stored on Microsofts equipment or in Microsofts facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of Customer Data (each a security incident), IceHrm will promptly: notify Customer of the Security Incident; investigate the Security Incident and provide Customer with detailed information about the Security Incident; and take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

In order to be able to react appropriately to security incidents that may occur, these incidents will be classified. After a security incident is resolved, an evaluation takes place, and possible measures will be taken to prevent comparable incidents in the future or to limit the consequences of an incident. Users who notice a (suspicion of an) incident or violation of the information security will report this to the Information Security Officer. He/She will take care of classifying the incident and of further settlement. Depending on the classification, the Information Security Officer will notify management and the applicable Business Units.

Information security is a continual process.

A reliable information provision demands continual attention. Alterations in the organization and/or the information provision, and the way in which the information provision is deployed for the purpose of operational management and process control, directly affect the reliability requirements demanded of the information provision and the measures that should be taken to ensure that.

Drawing up and implementing Information Security Policy.

In this step, the objectives, preconditions and key points are recorded as well as the way in which the policy is translated into concrete measures. The policy is drawn up by the Information Security Officer.

Formulating and implementing basic security.

The basis for information security is shaped by the IceHrm SaaS Ops standards framework, based on the Code of Practice for Information Security. This standards framework is a supplement of the Information Security Policy. The standards framework is subsequently translated into suitable security measures by the various sections of the organization. The establishment and prioritizing of the measures to be taken takes place based on risk analysis.

Additional security.

There are systems that demand higher reliability requirements (in terms of Availability, Integrity and Confidentiality). The process of considering additional measures should be clear and reproducible. The additional measures are subsequently implemented and communicated.

Security management and review

Information security requires a continual effort (security management) and is therefore not a one-off activity. Reliable information provision demands constant attention. Following implementation, it is checked that the measures are indeed executed as intended (review). Periodic evaluation is necessary to determine if the chosen measures still suffice and will be adjusted where necessary.