Scope of application

The scope of application is comprehensive: All areas of Seibert Media GmbH including all sites in Wiesbaden and employees working on a mobile basis or working from home are part of the ISMS.

Our business includes the creation of software, commerce involving internal and external software, and the provision of services in connection with these software products. We have more than 200 employees who together make up independently responsible, interdisciplinary teams in all areas of the organization, focusing on agile software development. The services we provide include strategic project planning, consultations concerning the purchase of licenses, user courses, trainings & workshops, support with the integration of plugins & third-party systems, and the operation and hosting of Atlassian applications.

We are currently focusing especially closely on the Atlassian and Google ecosystems and are developing our own products within them, e.g. Linchpin and Agile Hive.

The processing of information is crucial to the fulfillment of our duties. All core strategic and operational functions and tasks are supported by information technology (IT) to a significant extent. We need to be able to compensate for the failure of IT systems at short notice. Our business must never collapse, even in individual departments.

Information security is of the utmost importance – particularly because we are a company that not only produces software, but also offers hosting and cloud services.

The purpose of all activities aimed at maintaining and improving information security is to ensure the fundamental values of privacy, integrity and availability of information – particularly with regard to our customer data.

The specific security measures we implement must be economically proportionate to the protection needs of the data being processed. As a core activity, we continually identify, assess and handle information security risks in order to maintain and improve information security. Information security brings with it various legal, regulatory and contractual requirements, which are identified and taken into account on a continuous basis.

We have defined the following objectives on the basis of the corporate objectives and the current status of our information security level:

These objectives will be reviewed and evaluated in the framework of a management review.

In order to achieve our information security objectives, an ISMS team has been established and a Chief Information Security Officer (CISO) appointed by the Board of Management. An Information Security Management System (ISMS) has been rolled out company-wide and its effectiveness is regularly reviewed.

The Board of Management is responsible for the security organization. The Chief Information Security Officer shall advise the Board of Management regarding the planning and implementation of information security within the company. As part of the role, this officer shall report directly to the Board of Management as required and at least once a year.

The company shall provide the ISMS team with sufficient financial and time resources to ensure its members receive regular further training and adequate information.

The members of the ISMS team must be involved in IT-security-relevant projects (e.g. new products, site development, major IT infrastructure changes) from an early stage so that security considerations can be taken into account in the planning phase.

A Chief Information Security Officer has been appointed. The Chief Information Security Officer shall have a sufficient time budget for the performance of their duties. The Chief Information Security Officer must complete regular training.

A responsible person is nominated to determine the respective protection requirements for all processes, information, IT applications and IT systems.

Access rights are granted as necessary and are managed centrally.

Deputies must be appointed for all responsible functions. Instructions and sufficient documentation must be provided to ensure that deputies can fulfill their duties.

Buildings and premises are protected by means of adequate access control. Access to IT systems is protected by means of appropriate access controls, and access to data must be secured using a restrictive rights concept.

Antivirus programs are installed wherever practical, particularly on mail servers, document storage locations and company PCs that have admin access to customer systems. All internet access is secured by means of suitable technical filtering and protective mechanisms. Remote maintenance access to all internal systems and customer services is protected by means of VPN connections. An extensive monitoring system is used to detect infringements of security objectives by the IT infrastructure and applications; such instances are promptly corrected by trained employees. In addition, IT users support the security measures by implementing a security-conscious approach in their work and alerting the relevant contacts in the event of abnormalities.

As the possibility of data loss can never be completely eliminated, extensive data protection is in place to ensure that IT operations can be resumed promptly in the event that parts of the operational data pool are lost or obviously defective. Information is labeled consistently and stored in such a way that it can be located quickly.

In order to limit or prevent significant damage in the event of an emergency, we must respond swiftly and consistently to security incidents. Measures to be taken in case of emergency are summarized in a separate emergency precaution concept. Our goal is to maintain critical business processes even during a system failure, and to restore the availability of systems that have failed within an acceptable timeframe.

Where IT services are outsourced to external companies, we specify concrete security requirements in the respective contracts. The right of control is established. For extensive or complex outsourcing projects we create a detailed security concept with specific target measures.

IT users complete regular trainings on the correct use of IT services and associated security measures. The company management supports needs-based further training in this respect.

The information security management system is reviewed regularly to ensure that it is up-to-date and effective. In addition, regular inspections are performed with regard to the measures in place, to determine whether the relevant employees are aware of them, whether they can be implemented, and whether they can be integrated into operating procedures. Our CISO is responsible for monitoring these inspections.

Management supports the continuous improvement of our security levels. Employees are encouraged to communicate any potential areas for improvement or weak points to the responsible department.

We ensure the intended level of security and data protection through continuous revision of the regulations and compliance with them. Deviations are analyzed in order to improve the security situation and constantly keep pace with the latest developments in the area of IT security technology.

Data classification: The difference between internal data and customer data

We distinguish between data we ourselves collect and store in the context of our daily work (internal data), and data held in dedicated customer systems in connection with the provision of a service (operation of Atlassian applications), but which we do not otherwise use (customer data). Although all internal information pertaining to customers that we store in CRM, ERP, accounting and invoicing systems or in emails, chats, wikis or ordering software is also data that contains customer information in a broader sense, this information is processed together with purely internal data and is therefore classified as “internal data”.

Since we classify customer data as requiring a higher level of protection, the implemented level of security when customers share information with us in the dedicated customer systems is also higher than if the information is processed in our systems (e.g. emails, Extranet, Jira order processing). We make this difference as clear and transparent to customers as possible, and if customers ask us to work in the higher-security customer systems we respect that, even if it means in limitations for us. Depending on the situation, team and composition, it may be necessary to store specific information on our systems to ensure that processes run smoothly. We always flag these situations in advance and explain the background.

Usability vs. security

We understand that usability (simplicity for users) and IT security (privacy, integrity and availability of data and services) often conflict with one another. Particularly when working in customer environments, we often realize that stringent security requirements mean we are spending more time trying to gain access to information than we are creating value for the customer. That is why we always strive to take usability into account as well and, where uncertainties arise, to assess which solutions best suit the case in hand (What data are we handling? What is the security classification of that data?). We reach a practical solution through team discussion, and present documentation in central systems that are visible to all staff. We tend to lean in the direction of usability when it comes to handling internal data. This tendency is based on our corporate values and trust in our employees

Customer data is given exceptional protection.

The security of customer data is the foundation of our integrity and the bedrock on which trusting, long-term collaboration is built. We exclude any forms of use or processing that have not been agreed with our customers, and ensure clear, documented decisions in other cases.

In the event of uncertainty, we always opt for more security rather than more simplicity in relation to our customers’ data. Security goes before usability in this case.

Digital before analog. Paper is only a situational tool.

We are confident in our policy of storing all data in digital format because this is the only way we can be in a position to guarantee the IT security of this information. Where possible, we try to keep the data and information within the company in digital format. If we use paper, we do so solely to speed up our work processes. Paper is a temporary tool used to strengthen our visibility, presence or interaction. We are actively working on digitizing all information that is currently documented in paper form, and wherever possible we avoid storing paper unless legally required to do so. Paper is disposed of in a manner appropriate to the protection class of the information it contains.

The Board of Management is committed in its responsibility to support the information security objectives outlined in this guideline, and encourages all employees to also contribute towards maintaining and improving information security.

This guideline applies to all employees without exception. There is no justification for deviating from it. As a company, we will ensure that employees read and understand this guideline and document their agreement with it. We will announce and explain any amendments to it internally.