Information security policy
"Computer Information Technologies", LLC (brand name "Kitsoft") is committed to set the high level policies and principles for information security in our organization.
The information security policy is developed in accordance with the company's internal regulatory documents, the requirements of the current legislation of Ukraine, DSTU ISO/IEC 27001:2023 "Information security, cybersecurity, and confidentiality protection. Information security management systems. Requirements," DSTU ISO/IEC 27002:2023 "Information security, cybersecurity, and confidentiality protection. Information security control measures," and taking into account international standards on information security, universally accepted principles of ensuring information security and cybersecurity in international practice.
The purpose of this Information Security Policy is to establish general principles, standards, and requirements to ensure the confidentiality, integrity, and availability of information, as well as to comply with the requirements of ISO/IEC 27001:2023.
The Information Security Policy is a top-level document within the information security management system. Components of the information security management process that are not mentioned in the Policy are outlined in other internal regulatory documents of the company, such as guidelines, procedures, and are supported by several other documents, including policies and procedures.
1. Terms and abbreviations
1.1. The translation of the provided definitions and abbreviations is here:
- Company - groups of companies LLC "CIT", LLC "Kitsoft," LLC "Kit Group," LLC "Kitsoft Plus."
- Company Management - CEO.
- Confidentiality - the property of information that prevents unauthorized access and/or disclosure.
- Integrity - the property of information that prevents unauthorized modification.
- Availability - the property of being accessible and usable by authorized entities upon request.
- Observability - the property of a system that allows monitoring user and process activities, the use of passive objects, and uniquely identifying those involved in specific events for the purpose of enforcing security policies and/or assigning responsibility for specific actions.
- Policy - Information Security Policy.
- Risk - the probability of a harmful impact on the business due to a breach of confidentiality, integrity, and availability of information.
- Threat - any circumstances or events that may cause a breach of information security policy and/or harm to the automated system.
- ISMS - Information Security Management System.
- Information Security - a multi-level complex of organizational measures, software, and technical means that ensure the protection of information from accidental and intentional threats, which can lead to violations of security principles: availability, integrity, confidentiality, and observability.
- Information Security Incident (IS incident) - the occurrence of one or more unwanted or unexpected information security events related to the actual or significant likelihood of adverse consequences for information security, information, information assets, business processes, or causing damage to the company and its protection system.
- Information Resource - a set of human, hardware, and software resources in the information systems and processes of the company.
- Minimum Level of Authority - the permissions and access rights minimally required for employees of the company to perform their job duties effectively.
Other terms used in the Policy are used in the meanings defined by the laws of Ukraine and DSTU ISO/IEC 27000:2023.
2. Objectives of the document
The objective of this policy is to implement and ensure the effective operation of the Information Security and Cybersecurity Management System. This system aims to provide the security and reliability of the company's business processes, protect information and resources from external and internal threats, both intentional and unintentional actions by company employees. It also seeks to ensure the continuous operation of the company, contribute to the minimization of operational risks, and create a positive reputation for the company when interacting with clients.
3. Scope of application
The scope of application for this policy extends to all employees, departments, and structures within the company, as well as to all other parties who have access to the company's information.
4. Approaches to Information Security Management
4.1. Approaches to Defining ISMS Objectives
To maintain proper protection of information (primarily restricted access information) while ensuring its integrity, confidentiality, availability, and observability, information security objectives are established. Information security objectives are expressed in the form of characteristics and parameters, for the achievement of which information security measures are implemented, and qualitative and quantitative indicators are established within the internal control system of ISMS processes.
Sources for the formation of information security goals are external and internal factors that determine the company's activities, namely:
- Laws of Ukraine.
- Information security standards.
- Results of risk assessments that take into account the overall business strategy and goals of the company.
- Internal regulatory documents of the company that regulate the principles of information exchange and processing in accordance with business needs.
- Information security objectives are approved in a separate section of the company's internal regulatory document for ISMS management.
4.2. Information Security Incident Management
- Efficiently detect and record security events, confirming their classification as security incidents.
- Sequentially assess and continually respond to identified security incidents in the most favorable and effective manner.
- Implement an effective incident management system to minimize adverse consequences for the company.
- Utilize timely communication to inform responsible individuals for information security about security incidents through an escalation process.
- Implement monitoring, assessment, and mitigation of security vulnerabilities to reduce the number of incidents.
4.3. Approaches to Information Security Management and Monitoring
To manage information security within the company, an effective combination of technical and organizational solutions is employed, enabling a high-quality monitoring of the state of the Information Security Management System (ISMS).
- Technical solutions encompass a set of tools for collecting information about the state of elements within information systems, as well as mechanisms to influence their behavior. This includes monitoring tools for malicious software, as well as security event and incident management systems.
- Organizational solutions are utilized in the form of establishing processes that involve people (employees) to ensure the necessary level of monitoring of IT systems and information security subsystems. This allows for the formation of incident response teams consisting of experts at various levels and facilitates the creation of a security operations center.
5. Principles and Requirements of Information Security
5.1. The fundamental principle of information security is to maintain proper protection of the company's information assets (primarily restricted access information) while ensuring its integrity, confidentiality, availability, and observability.
5.2. The principles of ensuring information security include:
- A systematic (comprehensive) approach to ensuring the company's information security.
- Continuity in the process of improving and developing information security, achieved by rational means, methods, and measures implementation using the best international practices.
- Timeliness and adequacy of security measures against real and potential threats to the company's information security.
- Control and provision of support for an appropriate level of information security by the company's management.
5.3. The company's management actively supports the implementation of information security and ensures its adequate funding.
5.4. Documents related to information security are developed by the Information Security Department in collaboration with other departments based on their respective areas of activity. The Information Security Department is responsible for the ongoing monitoring, implementation, improvement, and support of the Policy to ensure its current state.
5.5. The company develops internal documents that specify, among other things:
- Requirements for the use, provision, revocation, and monitoring of access to the company's information systems.
- Requirements for protection against malicious code and the organization of protection against malicious code.
- Use of cryptographic means for information protection.
- Requirements for the use of corporate email.
- Requirements for the use of devices for work purposes.
- Requirements for the incident management process in information security.
5.6. The company follows the principle of granting the minimum level of privileges when providing access to its information systems, including privileged users.
5.7. The company utilizes standards, documents, and guidelines from the "Open Web Application Security Project" (OWASP) for developing secure applications.
5.8. During the development, implementation, and operation of software and technical complexes, the company considers information security requirements, including:
- Security measures are implemented at all stages of the software development lifecycle, including continuous updates and security testing of company products to prevent vulnerabilities.
- Regular security audits and vulnerability assessments are conducted, including periodic security audits to identify potential risks and vulnerabilities in software and infrastructure.
5.9. The company's public services and internal networks must comply with information security standards.
5.10. The company has developed and approved a business continuity plan that takes into account the continuity of information security measures within the company's business continuity management process.
5.11. Each employee of the company is responsible for ensuring compliance with the company's information security requirements while performing their job duties and responsibilities. Employees are held accountable for not adhering to the information security requirements set out in the company's internal documents and current legislation.
5.12. The company supports an awareness and training program by regularly conducting information security training for all employees, with a focus on understanding internal and external threats and appropriate response measures.
5.13. The company actively promotes reputation strengthening and public relations, including:
- Developing and implementing crisis management strategies that include public relations communication plans for responding to security incidents.
- Maintaining open and transparent communication with customers and partners regarding the company's efforts in the field of information security.
5.14. The content of the Policy must be communicated to all company employees. The company is obliged to familiarize new employees with the Policy during their onboarding process. Each employee of the company is required to read and acknowledge the Policy by signing it and providing a commitment to confidentiality.
6. Document Updating
6.1. The Policy is approved by the company's Management.
6.2. The Policy is kept up-to-date and reviewed at least once a year. If no changes are made to the Policy as a result of the review, re-approval is not required.
6.3. The grounds for amending the Policy include changes in the information infrastructure and/or the implementation of new information technologies, changes in legislation, information security standards, and other regulations, or significant changes.
6.4. Changes and amendments to the Policy are coordinated and approved by the company's management.
This Information Security Policy is mandatory for all Kitsoft company employees and reflects our commitment to ensuring a high level of information security in all aspects of the company's activities.