This information security policy applies to PollenTech Oy located in Oulu, Finland. Information security refers to secure processing of all information regardless of its form. This includes ensuring the confidentiality, integrity, availability and non-repudiability of information. Information security is actively monitored and any deviations are promptly addressed in accordance with predefined methods. Information security is implemented and developed by means of solutions that are appropriate and cost-effective in relation to the risks involved. Employee, customer and partner agreements, privacy protection and other statutory regulations are taken into account.
Main responsible for the information management is the company's operational management, namely CTO and CEO. The practices will contribute to employee's security awareness, to enable them to recognize security threats and act accordingly. All employees are expected to familiarize themselves and comply with the guidelines provided as well as to report any security threats and risks observed. Operative management is, in turn, responsible for ensuring that the employees have read the information security guidelines. In practice this can be most easily conducted as part of new employee induction.
Information security risks are assessed, analyzed and prioritized on the bases of their business impact. Assessments must be made at the specification stage for the new systems and whenever significant changes occur that affect the criticality of operations.
Operational management specify the criteria for granting access rights, for both internal and external users.
PollenTech uses an information security classification method to define how information is to be classified and how information belonging to different categories (public, internal, confidential, secret) is to be processed.
The remote processing of personal data is forbidden without the approval operational management. And in any case personal information is processed with required level of privacy in mind.
Connecting to PollenTech information network or related services is possible only via hardware and software managed or approved by PollenTech operational management. To ensure information security, use of network is being monitored and, where necessary, restricted pertaining to the software and file formats allowed in the system. There is a dedicated secure procedure to be defined for connections from external partners in case needed.
All employees will be trained to information security topics whenever there are significant changes to the information security policy and/or new software/hardware/regulations make it necessary.
Maintaining and improving information security requires systematic and continuous monitoring of the operation of information systems. Reports on the state of the information security are provided in connection with normal internal monitoring.
PollenTech must have in place effective procedures and tools for detecting of information security incidents. There are also plans for measures to be taken in exceptional situations.
Service providers must undertake to comply with the information security requirements specified by PollenTech. These are agreed upon in service contract, and their implementation is monitored. Key service providers might be audited in a risk-oriented manner to ensure an adequate level of information security.
PollenTech will publish both internal and public version of the information security policy. The internal version will be provided to all employees through internal document sharing method. The public version will be available on PollenTech website.
Reviewed and approved by the PollenTech management on 15.06.2015.