Child pages
  • Information security guideline
Skip to end of metadata
Go to start of metadata


Contents


 

Too long; didn't read



Information security: Guiding principles

The processing of information is part of our day-to-day business. In order to ensure the security of that information, we need a set of basic objectives to which we must adhere. This guideline outlines the objectives, organization and measures, as well as the central information security guidelines to which we wish to commit.


Scope of application of the ISMS

Scope of application

The scope of application is comprehensive: All areas of Seibert Media GmbH including all sites in Wiesbaden and employees working on a mobile basis or working from home are part of the ISMS.

Our business includes the creation of software, commerce involving internal and external software, and the provision of services in connection with these software products. We have more than 200 employees who together make up independently responsible, interdisciplinary teams in all areas of the organization, focusing on agile software development. The services we provide include strategic project planning, consultations concerning the purchase of licenses, user courses, trainings & workshops, support with the integration of plugins & third-party systems, and the operation and hosting of Atlassian applications.

We are currently focusing especially closely on the Atlassian and Google ecosystems and are developing our own products within them, e.g. Linchpin and Agile Hive.

The importance of information security

The processing of information is crucial to the fulfillment of our duties. All core strategic and operational functions and tasks are supported by information technology (IT) to a significant extent. We need to be able to compensate for the failure of IT systems at short notice. Our business must never collapse, even in individual departments.

Information security is of the utmost importance – particularly because we are a company that not only produces software, but also offers hosting and cloud services.

Security objectives

The purpose of all activities aimed at maintaining and improving information security is to ensure the fundamental values of privacy, integrity and availability of information – particularly with regard to our customer data.


The specific security measures we implement must be economically proportionate to the protection needs of the data being processed. As a core activity, we continually identify, assess and handle information security risks in order to maintain and improve information security. Information security brings with it various legal, regulatory and contractual requirements, which are identified and taken into account on a continuous basis.

We have defined the following objectives on the basis of the corporate objectives and the current status of our information security level:

Information security objective

Description

Intensification of efforts to increase information security awareness among all employees

The goal is to further expand information and training offerings in the area of IT security and to measure their effectiveness.

Ensuring that individual, contractual customer IT security requirements are fulfilled

Any IT-security-related customer contractual requirements which exceed the standard defined in our own contract templates should be uniformly reviewed and approved, centrally recorded, documented in a transparent manner, communicated internally, and monitored for compliance on a regular basis.

Improving the security of our software products

As a software development company and cloud provider, constantly improving the IT security of our products is very important to us.

The goal is to systematically strengthen IT security knowledge within our development team and to establish a cross-team group of experts who will internally advise on the secure implementation of new functions and perform regular security tests (pen tests) on our software products, or commission third parties to perform such tests.

Continuous improvement of the ISMS

In expanding the ISMS, the focus should be on maintaining processes and improving the effectiveness of the system.

These objectives will be reviewed and evaluated in the framework of a management review.

Security organization

In order to achieve our information security objectives, an ISMS team has been established and a Chief Information Security Officer (CISO) appointed by the Board of Management. An Information Security Management System (ISMS) has been rolled out company-wide and its effectiveness is regularly reviewed.

The Board of Management is responsible for the security organization. The Chief Information Security Officer shall advise the Board of Management regarding the planning and implementation of information security within the company. As part of the role, this officer shall report directly to the Board of Management as required and at least once a year.

The company shall provide the ISMS team with sufficient financial and time resources to ensure its members receive regular further training and adequate information.

The members of the ISMS team must be involved in IT-security-relevant projects (e.g. new products, site development, major IT infrastructure changes) from an early stage so that security considerations can be taken into account in the planning phase.

A Chief Information Security Officer has been appointed. The Chief Information Security Officer shall have a sufficient time budget for the performance of their duties. The Chief Information Security Officer must complete regular training.

Security measures

A responsible person is nominated to determine the respective protection requirements for all processes, information, IT applications and IT systems.

Access rights are granted as necessary and are managed centrally.

Deputies must be appointed for all responsible functions. Instructions and sufficient documentation must be provided to ensure that deputies can fulfill their duties.

Buildings and premises are protected by means of adequate access control. Access to IT systems is protected by means of appropriate access controls, and access to data must be secured using a restrictive rights concept.

Antivirus programs are installed wherever practical, particularly on mail servers, document storage locations and company PCs that have admin access to customer systems. All internet access is secured by means of suitable technical filtering and protective mechanisms. Remote maintenance access to all internal systems and customer services is protected by means of VPN connections. An extensive monitoring system is used to detect infringements of security objectives by the IT infrastructure and applications; such instances are promptly corrected by trained employees. In addition, IT users support the security measures by implementing a security-conscious approach in their work and alerting the relevant contacts in the event of abnormalities.

As the possibility of data loss can never be completely eliminated, extensive data protection is in place to ensure that IT operations can be resumed promptly in the event that parts of the operational data pool are lost or obviously defective. Information is labeled consistently and stored in such a way that it can be located quickly.

In order to limit or prevent significant damage in the event of an emergency, we must respond swiftly and consistently to security incidents. Measures to be taken in case of emergency are summarized in a separate emergency precaution concept. Our goal is to maintain critical business processes even during a system failure, and to restore the availability of systems that have failed within an acceptable timeframe.

Where IT services are outsourced to external companies, we specify concrete security requirements in the respective contracts. The right of control is established. For extensive or complex outsourcing projects we create a detailed security concept with specific target measures.

IT users complete regular trainings on the correct use of IT services and associated security measures. The company management supports needs-based further training in this respect.

Improving security

The information security management system is reviewed regularly to ensure that it is up-to-date and effective. In addition, regular inspections are performed with regard to the measures in place, to determine whether the relevant employees are aware of them, whether they can be implemented, and whether they can be integrated into operating procedures. Our CISO is responsible for monitoring these inspections.

Management supports the continuous improvement of our security levels. Employees are encouraged to communicate any potential areas for improvement or weak points to the responsible department.

We ensure the intended level of security and data protection through continuous revision of the regulations and compliance with them. Deviations are analyzed in order to improve the security situation and constantly keep pace with the latest developments in the area of IT security technology.

Central guiding principles

Data classification: The difference between internal data and customer data

Guiding principle

We distinguish between data we collect and store and data that customers store on the systems we run for them.

We distinguish between data we ourselves collect and store in the context of our daily work (internal data), and data held in dedicated customer systems in connection with the provision of a service (operation of Atlassian applications), but which we do not otherwise use (customer data). Although all internal information pertaining to customers that we store in CRM, ERP, accounting and invoicing systems or in emails, chats, wikis or ordering software is also data that contains customer information in a broader sense, this information is processed together with purely internal data and is therefore classified as “internal data”.

Since we classify customer data as requiring a higher level of protection, the implemented level of security when customers share information with us in the dedicated customer systems is also higher than if the information is processed in our systems (e.g. emails, Extranet, Jira order processing). We make this difference as clear and transparent to customers as possible, and if customers ask us to work in the higher-security customer systems we respect that, even if it means in limitations for us. Depending on the situation, team and composition, it may be necessary to store specific information on our systems to ensure that processes run smoothly. We always flag these situations in advance and explain the background.




Usability vs. security

Guiding principle

An essential guiding principle in how we do business is with the conscious balancing between practical and simple (usability) and highly secure. We try to use technology to simultaneously increase security and usability.

We understand that usability (simplicity for users) and IT security (privacy, integrity and availability of data and services) often conflict with one another. Particularly when working in customer environments, we often realize that stringent security requirements mean we are spending more time trying to gain access to information than we are creating value for the customer. That is why we always strive to take usability into account as well and, where uncertainties arise, to assess which solutions best suit the case in hand (What data are we handling? What is the security classification of that data?). We reach a practical solution through team discussion, and present documentation in central systems that are visible to all staff. We tend to lean in the direction of usability when it comes to handling internal data. This tendency is based on our corporate values and trust in our employees




Customer data is given exceptional protection.

Guiding principle

IT security in relation to the data of our customers is a top priority for us.

The security of customer data is the foundation of our integrity and the bedrock on which trusting, long-term collaboration is built. We exclude any forms of use or processing that have not been agreed with our customers, and ensure clear, documented decisions in other cases.

In the event of uncertainty, we always opt for more security rather than more simplicity in relation to our customers’ data. Security goes before usability in this case.




Digital before analog. Paper is only a situational tool.

Guiding principle

As a general rule, documents should not be printed out, but should instead be and remain digitized.

We are confident in our policy of storing all data in digital format because this is the only way we can be in a position to guarantee the IT security of this information. Where possible, we try to keep the data and information within the company in digital format. If we use paper, we do so solely to speed up our work processes. Paper is a temporary tool used to strengthen our visibility, presence or interaction. We are actively working on digitizing all information that is currently documented in paper form, and wherever possible we avoid storing paper unless legally required to do so. Paper is disposed of in a manner appropriate to the protection class of the information it contains.

Duty to cooperate

The Board of Management is committed in its responsibility to support the information security objectives outlined in this guideline, and encourages all employees to also contribute towards maintaining and improving information security.

This guideline applies to all employees without exception. There is no justification for deviating from it. As a company, we will ensure that employees read and understand this guideline and document their agreement with it. We will announce and explain any amendments to it internally.

  • No labels
This page was last edited on 07/26/2021.