...

Purpose and definitions

The information assets that Pointsharp manages – both for itself, for its customers, and other parties – are of fundamental importance to Pointsharp's operations. The correct handling of these is important for the trust of employees, customers, partners, suppliers, and third parties. Information assets are all information that is of value to Pointsharp and the aforementioned parties, whether processed by analog or digital, automatically or manually and regardless of the form or environment in which it exists. The purpose of this information security policy is to demonstrate the management's intention to treat these assets by set goals and principles.

...

• Confidentiality, that information is not made available or forwarded to unauthorized persons in violation of legal requirements, rules, guidelines, or agreements.
• Integrity, that information is protected against unwanted change or deletion, whether intentional or unintentional.
• Availability, that information is available to the expected extent, for authorized users and within the desired time.
• Traceability, that all relevant actions associated with an individual's behavior can be saved and followed up over time.

Objectives and principles

By adopting this policy, Pointsharp undertakes to comply with the applicable information security requirements. The policy covers the entire operations of Pointsharp and contains objectives and principles so that:

• competence exists, and is constantly being developed, on how information security is ensured, maintained, and continually developed and improved;
• all relevant information assets are classified and handled according to established methodology;
• threats to information assets and services are continuously assessed and managed following a defined risk management process;
• the crisis management ability is continuously analyzed and maintained;
• unexpected and unwanted events leading to negative consequences are prevented;
• information security work is a natural and integrated part of the business;
• Information Security Management System (ISMS) and associated security measures are periodically audited to achieve continuous improvement; and
• discovered incidents, threats, and risks are reported for further processing.

Responsibilities

Responsibility for Pointsharp's information security work must comply with normal delegated operational responsibility at all levels.

...

The Internal Auditor works on behalf of the Board and reports to the Management Team.

Deviations and exceptions

In the event of deviations or exceptions from this policy or related regulations, these shall be reported to the Incident Manager, Security Manager, or another member of the Operational Security Team. The Incident Manager is responsible for assessing the severity of an incident in consultation with the Operational Security Team and together deciding on appropriate measures.

More serious incidents and events that may harm Pointsharp must be reported to the Management Team as soon as possible to minimize damage and prevent similar incidents. In cases where exceptions need to be made from decided and applied regulations, a risk analysis shall be carried out and proposals for exceptions shall be presented to the Operational Security Team for further decisions. Accepted exceptions (with compensating measures) can only be valid for 12 months.

Review and follow-up

The Information Security Policy, and the related regulatory frameworks for information security, must be reviewed and updated at least once every 12 months or if significant changes in the organization or the outside world occur. This is to ensure the continued suitability, accuracy, and effectiveness of the policy. The review will include an assessment of Pointsharp's possibilities to improve its regulatory framework and the organization's approach to information security based on changes in Pointsharp's environment, business conditions, legal requirements, and technical environment. The annual review shall be done so that the entire business is reviewed every 3 years.

Related documentation

The Information Security Policy describes Pointsharp's intentions regarding information security. To meet the needs of the business, there are additional and more detailed instructions and guidelines regarding what has to be implemented, and in what way, for the policy to be complied with.

Validity of the Information Security Policy

The Information Security Policy is reviewed and approved by the Pointsharp Board in December each year and is valid from January 1^st. An audit log is updated with a new decision date and a description of any changes.

Document history