Skip to main content
Information Security Policy
Linda Gehrig avatar
Written by Linda Gehrig
Updated over a week ago

Quicklinks

1 Purpose

The purpose of this policy is to ensure confidentiality, integrity and availability of all information processed within Dealfront and with its business partners. Information security must be applied at all stages of information processing in order to support the achievement of strategic goals. To achieve that, information is secured with multiple controls. This includes, but is not limited to, controls such as policies, guidelines, technical event monitoring and access controls

2 Scope

This Information Security Policy is applied to all information used at Dealfront. This policy is applied to anyone who gains access to Dealfront’s devices, systems or facilities. This includes employees, contractors, temporary staff, business partners and other 3rd parties.

3 Policies

This policy is the overarching policy over the rest of the security policies, which make up the Dealfront's information security program. The series of security policies include:

1. Access Management Policy

2. Acceptable Use Policy

3. Asset Management Policy

4. Backup Policy

5. Business Continuity Plan

6. Code of Conduct

7. Data Classification Policy

8. Data Protection Policy

9. Data Retention Policy

10. Disaster Recovery Plan

11. Encryption Policy

12. Incident Response Plan

13. Open Source Policy

14. Password Policy

15. Physical Security Policy

16. Responsible Disclosure Policy

17. Risk Assessment Policy

18. Secure Development Policy

19. Software Development Life Cycle Policy

20. Vendor Management Policy

21. Vulnerability Management Policy

3.1 Policy review

At a minimum on an annual basis, all information security policies must be reviewed and/or amended to reflect possible technical/organizational changes, and to meet necessary security standards. All policies must be approved by defined policy owners.

3.2 Policy accessibility

Policies and/or procedures must be accessible for review at all times. Relevant policies, which varies between different roles, must be reviewed and signed on an annual basis by all staff

4 Responsibilities

Information security responsibilities are applied as follows:

Employees, contractors and 3rd parties

  • Following information security policies and guidelines

  • Reporting information security risks on their field of work

  • Reporting suspected information security incidents

  • Reporting suspected information security weaknesses in systems or services

  • Attending information security training

  • Maintaining unmanaged endpoint security (non-company owned devices)

System owners and administrators

  • Applying required information security measures on systems

  • Monitoring risks affecting systems

Information security personnel

  • Development of information security policies, practices and guidelines

  • Handling reported information security incidents

  • Providing information security training

  • Risk management development and risk assessments

  • Security and privacy assessments • Vendor assessments

  • Reporting on the performance of the information security program to executive management

Executive management

  • Accepting information security policies

  • Accepting risks over threshold defined in Risk Assessment Policy

5 Information handling

Handling information classified as non-public requires permission from the information owner. Access shall be granted on a need-to-know basis. Information classified as public can be shared within or outside Dealfront without permission from the owner. More detailed information handling guidelines are available in the security handbook.

5.1 Information classification

All information, including documents shall be classified. All documents are classified as Internal by default. Other classification types shall be used based on the type of information and to whom it’s meant to be shared with. Classification is also used to define the impact of security incidents. Ensure permission from the information owner before sharing information to other parties. Classification must be done by the following classes.

Classification

Description

Public

This type of information can be shared both within and outside the company. Publishing this type of information has no negative business impact nor brand damage.

Internal

This type of information is intended for only internal use within the company. If internal information is exposed, it may cause minor negative financial impact, publicity or profit loss

Confidential

This type of information is sensitive but can be shared outside the company. Handling confidential information requires permission from the information owner. If confidential information is exposed, it may damage customer relationships, cause moderate negative publicity or profit loss.

Restricted

This type of information is the most sensitive. Handling restricted information requires permission from the information owner. Sharing this type of information must be controlled very carefully. If restricted information is exposed, it may severely damage customer relationships, cause major negative publicity and profit loss. In addition, exposing restricted information may cause irreparable brand damage, lead to criminal charges or massive legal fines and prevent the company reaching its strategic goals.

5.2 Labeling of documents

Documents shall be labeled with the selected classification type. If there is no label in the document, it shall be considered as Internal. Labeling instructions are maintained in the security handbook.

5.3 Destruction of classified material

Information stored in any asset must be irrevocably deleted before the asset is repurposed or removed. All physical storage media must be destroyed in accordance with company guidelines. When destroying printed classified material, it must be shredded with a paper shredder.

5.4 Acceptable use of IT assets

IT assets shall be used in accordance with the Acceptable Use Policy. Summary of the policy:

  • Only authorized personnel is allowed to use company-owned devices and company-provided services

  • Only company-owned devices or user-owned devices agreed with Internal IT must be used for accessing company-provided resources and services

  • Single-sign-on (SSO, Login with Okta/Google) shall be primarily used for login

    • Where SSO login is not available, multi-factor authentication (MFA) shall be enabled

  • Only necessary additional (non OS built-in) software to perform work duties shall be installed on computers. List of pre-approved clients and browsers is available in the security handbook.

  • Applications shall be installed only from trusted sources (e.g. official websites, App Store)

  • Security updates of operating systems and software must be installed as soon as possible

  • Hardware and software shall be appropriately licensed

  • Security controls such as anti-virus software or hard drive encryption must not be disabled at any circumstances • Screen locks must be enabled on all applicable devices

  • Devices, documents or notebooks must not be left unattended in public places (such as coworking spaces) or in the office outside working hours

  • One must protect self from eavesdropping and shoulder surfing, especially in public places

  • The level of personal use must be reasonable and not harmful to the mission of Dealfront

  • Lost or stolen assets must be reported to Internal IT immediately

5.5 Media handling

  • Transferring company data to external media (e.g. USB hard drives) and non-company approved services is prohibited

  • Avoid paper printouts of any Confidential or Restricted data, in particular personal data. If required, store in locked cabinets and when no longer needed, destroy with a paper shredder.

  • Before printing any material, consider the information classification of it

5.6 Return of IT assets

All users must return all the organizational assets (e.g. computers and mobile phones) in their possession upon termination of their employment, contract or agreement.

5.7 Asset retirement and warranty

Company-owned computers used by the employees shall be primarily leased with a 36 month leasing period. By default, devices shall be shipped back to the leasing company after the leasing period ends. End user will have an option to purchase the device after the leasing period. All organizational data shall be removed from the device after the leasing period ends. The need to replace a computer or a mobile device bought and owned by the company shall be evaluated every 36 months by IT. Evaluation must take into consideration what is the purpose of the device, how the device is performing, does the manufacturer support the device e.g. get the latest security patches. When the device is deemed unusable and/or out of support, it must be replaced, taking into consideration the purpose of the device. Warranties of the devices are defined by the manufacturer.

6 Operations security

6.1 Protection from malware

To detect and prevent malware infections, the following controls are used: anti-virus software (EDR solution), e-mail filtering, firewalls, vulnerability management, risk management and security awareness training. Anti-virus software must be used in all workstations. Unmanaged workstation anti-virus software is managed by the end user. Recovery and restoration in malware infection must be handled in accordance with the Incident Response Plan. Business critical systems must have restoration plans in place.

6.2 Backup

Business critical systems must have a defined backup schedule in accordance with the Backup Policy.

6.3 Logging and monitoring

Event logs are used to detect and prevent unauthorized use of systems. They are also used as part of the security incident management process when needed. Access to logs are granted on a need-to-know basis only to authorized individuals. Security event logs must be protected against tampering.

6.4 Vulnerability management

Technical vulnerabilities shall be handled in accordance with the Vulnerability Management Policy. Other vulnerabilities are handled in the risk management process.

6.5 Security incident management

Security incidents shall be handled in accordance with the Incident Response Plan. Responsibilities regarding security incidents are described in paragraph 4.

6.6 Password policy

Users must use a strong unique password in each service. Passwords shall be at least 15 characters long. Passwords must be stored securely in the password management system designated by the company. It’s recommended to generate one in the password management system or think of passphrases to meet the complexity requirements. Avoid using dates (e.g. birthdays), names (e.g. pets) or other personal information found online in passwords. Default administrative account passwords of any hardware such as firewalls or routers must be changed after initial login. The same applies to all applications with administrative accounts, including SaaS applications/services.

6.7 Access management

Access shall be managed in accordance with the Access Control Policy.

6.8 Mobile device policy

Mobile devices owned by the company must be registered in the mobile device management (MDM) system and asset registry. Dealfront must have the ability to remotely wipe business data with MDM from the devices e.g. in the case of theft or end of employment. Backup of mobile devices can be used with Google or Apple with the exception of not including Restricted data in the backups. The same principles as working with computers apply to mobile devices. See acceptable use of assets in paragraph 5.4.

7 Information security training

All personnel are required to attend information security training provided by the company. Training program consists of the following: security training sessions and campaigns, static learning materials, timely security tips and announcements e.g. due to recent news.

8 Communications security

Firewall and feasible network segregation must be implemented on all internal company networks. Wireless networks must be protected with current encryption best practices. Firewall rules must be reevaluated annually. Installing your own physical router, network or firewall equipment in the offices is prohibited. Sharing a Wi-Fi hotspot connection from your phone in case of local network unavailability is allowed. Application communications, including SaaS services, must be protected with current TLS best practices. Safety of the networks used with endpoints must be ensured at all times. Mobile data shall be primarily used instead of public unknown networks. If necessary to use a public unknown network, the official network name (WiFi SSID) must be ensured e.g. by asking from staff. It's recommended to use a company-provided VPN whenever connected to unknown networks.

9 Physical security

9.1 Entry controls

Entry to office facilities is controlled by electronic keys. Only authorized personnel are allowed to use the keys. Electronic keys must not be attached to anything, e.g. a lanyard, where printed “Dealfront”. Guests must be escorted during the entire visit, special care must be taken when entering and exiting facilities. Lost keys or access codes must be reported to local office management immediately.

9.2 Physical identification

All employees are identified by their face. Unidentified people must be reported to security personnel and escorted out of the office.

9.3 Inspection of incoming material

All incoming device deliveries must be inspected for evidence of tampering en route. If such tampering is discovered it must be immediately reported to security personnel.

10 System acquisition, development and maintenance

Vendor assessments must be conducted in accordance with the Vendor Management Policy. Secure development practices are mandated in the Secure Development Policy. Information security and maintenance requirements for systems are described in the security handbook.

11 Cryptography

Company data must be encrypted at rest and in transit in accordance with the Encryption Policy. Physical endpoint device (computers and phones) disks must be encrypted. Application communications, including in SaaS services, must be protected with current TLS best practices. Key management practices are described in the security handbook.

12 Business continuity management

Dealfront must maintain up-to-date business continuity and disaster recovery plans. Business continuity management is described in Business Continuity Plan.

13 Compliance

Compliance with applicable legislation, regulation and other contractual requirements must be ensured. Relevant records of compliance activities must be maintained.

Revision History

Version

Date

Editor

Description of Changes

Approved by

1.0

18.07.2022

Henri Markkanen

Initial Creation

Pekka Koskinen

1.1

02.05.2023

Henri Markkanen

Changes to policy references

Bastian Karweg

1.2

23.05.2023

Henri Markkanen

Minor changes

Bastian Karweg

Did this answer your question?