Information Security Policy

Objective

This information security policy applies to PollenTech Oy located in Oulu, Finland. Information security refers to secure processing of all information regardless of its form. This includes ensuring the confidentiality, integrity, availability and non-repudiability of information. Information security is actively monitored and any deviations are promptly addressed in accordance with predefined methods. Information security is implemented and developed by means of solutions that are appropriate and cost-effective in relation to the risks involved. Employee, customer and partner agreements, privacy protection and other statutory regulations are taken into account.

Responsibilities

Main responsible for the information management is the company's operational management, namely CTO and CEO. The practices will contribute to employee's security awareness, to enable them to recognize security threats and act accordingly. All employees are expected to familiarize themselves and comply with the guidelines provided as well as to report any security threats and risks observed. Operative management is, in turn, responsible for ensuring that the employees have read the information security guidelines. In practice this can be most easily conducted as part of new employee induction.

Information security practices

Risk assessment

Information security risks are assessed, analyzed and prioritized on the bases of their business impact. Assessments must be made at the specification stage for the new systems and whenever significant changes occur that affect the criticality of operations.

Access rights management

Operational management specify the criteria for granting access rights, for both internal and external users.

Classification and processing of information

PollenTech uses an information security classification method to define how information is to be classified and how information belonging to different categories (public, internal, confidential, secret) is to be processed.

Processing of personal information

The remote processing of personal data is forbidden without the approval operational management. And in any case personal information is processed with required level of privacy in mind.

Use of PollenTech information network

Connecting to PollenTech information network or related services is possible only via hardware and software managed or approved by PollenTech operational management. To ensure information security, use of network is being monitored and, where necessary, restricted pertaining to the software and file formats allowed in the system. There is a dedicated secure procedure to be defined for connections from external partners in case needed.

Information security training

All employees will be trained to information security topics whenever there are significant changes to the information security policy and/or new software/hardware/regulations make it necessary.

Control and monitoring

Maintaining and improving information security requires systematic and continuous monitoring of the operation of information systems. Reports on the state of the information security are provided in connection with normal internal monitoring.

Processing of information security breaches

PollenTech must have in place effective procedures and tools for detecting of information security incidents. There are also plans for measures to be taken in exceptional situations.

Service provider monitoring

Service providers must undertake to comply with the information security requirements specified by PollenTech. These are agreed upon in service contract, and their implementation is monitored. Key service providers might be audited in a risk-oriented manner to ensure an adequate level of information security.

Communication to employees and partners

PollenTech will publish both internal and public version of the information security policy. The internal version will be provided to all employees through internal document sharing method. The public version will be available on PollenTech website.

Approval and confirmation of the information security policy


Reviewed and approved by the PollenTech management on 15.06.2015.