Quicklinks
1 Purpose
The purpose of this policy is to ensure confidentiality, integrity and availability of all information processed within Dealfront and with its business partners. Information security must be applied at all stages of information processing in order to support the achievement of strategic goals. To achieve that, information is secured with multiple controls. This includes, but is not limited to, controls such as policies, guidelines, technical event monitoring and access controls
2 Scope
This Information Security Policy is applied to all information used at Dealfront. This policy is applied to anyone who gains access to Dealfront’s devices, systems or facilities. This includes employees, contractors, temporary staff, business partners and other 3rd parties.
3 Policies
This policy is the overarching policy over the rest of the security policies, which make up the Dealfront's information security program. The series of security policies include:
1. Access Management Policy
2. Acceptable Use Policy
3. Asset Management Policy
4. Backup Policy
5. Business Continuity Plan
6. Code of Conduct
7. Data Classification Policy
8. Data Protection Policy
9. Data Retention Policy
10. Disaster Recovery Plan
11. Encryption Policy
12. Incident Response Plan
13. Open Source Policy
14. Password Policy
15. Physical Security Policy
16. Responsible Disclosure Policy
17. Risk Assessment Policy
18. Secure Development Policy
19. Software Development Life Cycle Policy
20. Vendor Management Policy
21. Vulnerability Management Policy
3.1 Policy review
At a minimum on an annual basis, all information security policies must be reviewed and/or amended to reflect possible technical/organizational changes, and to meet necessary security standards. All policies must be approved by defined policy owners.
3.2 Policy accessibility
Policies and/or procedures must be accessible for review at all times. Relevant policies, which varies between different roles, must be reviewed and signed on an annual basis by all staff
4 Responsibilities
Information security responsibilities are applied as follows:
Employees, contractors and 3rd parties
Following information security policies and guidelines
Reporting information security risks on their field of work
Reporting suspected information security incidents
Reporting suspected information security weaknesses in systems or services
Attending information security training
Maintaining unmanaged endpoint security (non-company owned devices)
System owners and administrators
Applying required information security measures on systems
Monitoring risks affecting systems
Information security personnel
Development of information security policies, practices and guidelines
Handling reported information security incidents
Providing information security training
Risk management development and risk assessments
Security and privacy assessments • Vendor assessments
Reporting on the performance of the information security program to executive management
Executive management
Accepting information security policies
Accepting risks over threshold defined in Risk Assessment Policy
5 Information handling
Handling information classified as non-public requires permission from the information owner. Access shall be granted on a need-to-know basis. Information classified as public can be shared within or outside Dealfront without permission from the owner. More detailed information handling guidelines are available in the security handbook.
5.1 Information classification
All information, including documents shall be classified. All documents are classified as Internal by default. Other classification types shall be used based on the type of information and to whom it’s meant to be shared with. Classification is also used to define the impact of security incidents. Ensure permission from the information owner before sharing information to other parties. Classification must be done by the following classes.
Classification | Description |
Public | This type of information can be shared both within and outside the company. Publishing this type of information has no negative business impact nor brand damage. |
Internal | This type of information is intended for only internal use within the company. If internal information is exposed, it may cause minor negative financial impact, publicity or profit loss |
Confidential | This type of information is sensitive but can be shared outside the company. Handling confidential information requires permission from the information owner. If confidential information is exposed, it may damage customer relationships, cause moderate negative publicity or profit loss. |
Restricted | This type of information is the most sensitive. Handling restricted information requires permission from the information owner. Sharing this type of information must be controlled very carefully. If restricted information is exposed, it may severely damage customer relationships, cause major negative publicity and profit loss. In addition, exposing restricted information may cause irreparable brand damage, lead to criminal charges or massive legal fines and prevent the company reaching its strategic goals. |
5.2 Labeling of documents
Documents shall be labeled with the selected classification type. If there is no label in the document, it shall be considered as Internal. Labeling instructions are maintained in the security handbook.
5.3 Destruction of classified material
Information stored in any asset must be irrevocably deleted before the asset is repurposed or removed. All physical storage media must be destroyed in accordance with company guidelines. When destroying printed classified material, it must be shredded with a paper shredder.
5.4 Acceptable use of IT assets
IT assets shall be used in accordance with the Acceptable Use Policy. Summary of the policy:
Only authorized personnel is allowed to use company-owned devices and company-provided services
Only company-owned devices or user-owned devices agreed with Internal IT must be used for accessing company-provided resources and services
Single-sign-on (SSO, Login with Okta/Google) shall be primarily used for login
Where SSO login is not available, multi-factor authentication (MFA) shall be enabled
Only necessary additional (non OS built-in) software to perform work duties shall be installed on computers. List of pre-approved clients and browsers is available in the security handbook.
Applications shall be installed only from trusted sources (e.g. official websites, App Store)
Security updates of operating systems and software must be installed as soon as possible
Hardware and software shall be appropriately licensed
Security controls such as anti-virus software or hard drive encryption must not be disabled at any circumstances • Screen locks must be enabled on all applicable devices
Devices, documents or notebooks must not be left unattended in public places (such as coworking spaces) or in the office outside working hours
One must protect self from eavesdropping and shoulder surfing, especially in public places
The level of personal use must be reasonable and not harmful to the mission of Dealfront
Lost or stolen assets must be reported to Internal IT immediately
5.5 Media handling
Transferring company data to external media (e.g. USB hard drives) and non-company approved services is prohibited
Avoid paper printouts of any Confidential or Restricted data, in particular personal data. If required, store in locked cabinets and when no longer needed, destroy with a paper shredder.
Before printing any material, consider the information classification of it
5.6 Return of IT assets
All users must return all the organizational assets (e.g. computers and mobile phones) in their possession upon termination of their employment, contract or agreement.
5.7 Asset retirement and warranty
Company-owned computers used by the employees shall be primarily leased with a 36 month leasing period. By default, devices shall be shipped back to the leasing company after the leasing period ends. End user will have an option to purchase the device after the leasing period. All organizational data shall be removed from the device after the leasing period ends. The need to replace a computer or a mobile device bought and owned by the company shall be evaluated every 36 months by IT. Evaluation must take into consideration what is the purpose of the device, how the device is performing, does the manufacturer support the device e.g. get the latest security patches. When the device is deemed unusable and/or out of support, it must be replaced, taking into consideration the purpose of the device. Warranties of the devices are defined by the manufacturer.
6 Operations security
6.1 Protection from malware
To detect and prevent malware infections, the following controls are used: anti-virus software (EDR solution), e-mail filtering, firewalls, vulnerability management, risk management and security awareness training. Anti-virus software must be used in all workstations. Unmanaged workstation anti-virus software is managed by the end user. Recovery and restoration in malware infection must be handled in accordance with the Incident Response Plan. Business critical systems must have restoration plans in place.
6.2 Backup
Business critical systems must have a defined backup schedule in accordance with the Backup Policy.
6.3 Logging and monitoring
Event logs are used to detect and prevent unauthorized use of systems. They are also used as part of the security incident management process when needed. Access to logs are granted on a need-to-know basis only to authorized individuals. Security event logs must be protected against tampering.
6.4 Vulnerability management
Technical vulnerabilities shall be handled in accordance with the Vulnerability Management Policy. Other vulnerabilities are handled in the risk management process.
6.5 Security incident management
Security incidents shall be handled in accordance with the Incident Response Plan. Responsibilities regarding security incidents are described in paragraph 4.
6.6 Password policy
Users must use a strong unique password in each service. Passwords shall be at least 15 characters long. Passwords must be stored securely in the password management system designated by the company. It’s recommended to generate one in the password management system or think of passphrases to meet the complexity requirements. Avoid using dates (e.g. birthdays), names (e.g. pets) or other personal information found online in passwords. Default administrative account passwords of any hardware such as firewalls or routers must be changed after initial login. The same applies to all applications with administrative accounts, including SaaS applications/services.
6.7 Access management
Access shall be managed in accordance with the Access Control Policy.
6.8 Mobile device policy
Mobile devices owned by the company must be registered in the mobile device management (MDM) system and asset registry. Dealfront must have the ability to remotely wipe business data with MDM from the devices e.g. in the case of theft or end of employment. Backup of mobile devices can be used with Google or Apple with the exception of not including Restricted data in the backups. The same principles as working with computers apply to mobile devices. See acceptable use of assets in paragraph 5.4.
7 Information security training
All personnel are required to attend information security training provided by the company. Training program consists of the following: security training sessions and campaigns, static learning materials, timely security tips and announcements e.g. due to recent news.
8 Communications security
Firewall and feasible network segregation must be implemented on all internal company networks. Wireless networks must be protected with current encryption best practices. Firewall rules must be reevaluated annually. Installing your own physical router, network or firewall equipment in the offices is prohibited. Sharing a Wi-Fi hotspot connection from your phone in case of local network unavailability is allowed. Application communications, including SaaS services, must be protected with current TLS best practices. Safety of the networks used with endpoints must be ensured at all times. Mobile data shall be primarily used instead of public unknown networks. If necessary to use a public unknown network, the official network name (WiFi SSID) must be ensured e.g. by asking from staff. It's recommended to use a company-provided VPN whenever connected to unknown networks.
9 Physical security
9.1 Entry controls
Entry to office facilities is controlled by electronic keys. Only authorized personnel are allowed to use the keys. Electronic keys must not be attached to anything, e.g. a lanyard, where printed “Dealfront”. Guests must be escorted during the entire visit, special care must be taken when entering and exiting facilities. Lost keys or access codes must be reported to local office management immediately.
9.2 Physical identification
All employees are identified by their face. Unidentified people must be reported to security personnel and escorted out of the office.
9.3 Inspection of incoming material
All incoming device deliveries must be inspected for evidence of tampering en route. If such tampering is discovered it must be immediately reported to security personnel.
10 System acquisition, development and maintenance
Vendor assessments must be conducted in accordance with the Vendor Management Policy. Secure development practices are mandated in the Secure Development Policy. Information security and maintenance requirements for systems are described in the security handbook.
11 Cryptography
Company data must be encrypted at rest and in transit in accordance with the Encryption Policy. Physical endpoint device (computers and phones) disks must be encrypted. Application communications, including in SaaS services, must be protected with current TLS best practices. Key management practices are described in the security handbook.
12 Business continuity management
Dealfront must maintain up-to-date business continuity and disaster recovery plans. Business continuity management is described in Business Continuity Plan.
13 Compliance
Compliance with applicable legislation, regulation and other contractual requirements must be ensured. Relevant records of compliance activities must be maintained.
Revision History
Version | Date | Editor | Description of Changes | Approved by |
1.0 | 18.07.2022 | Henri Markkanen | Initial Creation | Pekka Koskinen |
1.1 | 02.05.2023 | Henri Markkanen | Changes to policy references | Bastian Karweg |
1.2 | 23.05.2023 | Henri Markkanen | Minor changes | Bastian Karweg |