Contents
How We Protect Your Data
Processing information is part of our daily business. In order to secure this information, we have a basic set of objectives that we need to adhere to. This guideline explains the objectives, organization, measures and central principles regarding information security we commit ourselves to.
Scope of the ISMS
Scope of application
The scope of the Information Security Management System (ISMS) is extensive, encompassing all areas of Seibert Group GmbH, from our physical locations in Wiesbaden to employees working remotely or in telework situations.
Our business activities include software development, trading in both our own and third-party software, and providing services related to these software products. Over 200 employees work together to form independent, interdisciplinary teams in all areas of the organization with a focus on agile software development. Our services include the strategic planning of projects, advice on the purchase of licenses, user training, training courses and workshops, support with the integration of plugins and third-party systems, as well as the operation and hosting of Atlassian applications.
We are currently active in the Atlassian and Google ecosystems, where we develop our own products such as Linchpin and Agile Hive.
The Importance of Information Security
Information processing plays a crucial role in fulfilling our tasks. All essential strategic and operational functions are significantly supported by information technology (IT). We must be able to quickly compensate for any IT system failures to ensure that our business continues to operate smoothly.
Information security is particularly important to us as a company that not only produces software but also offers hosting and cloud services.
Security Objectives
All activities to maintain and improve information security are aimed at ensuring the basic values of confidentiality, integrity and availability of information - especially our customer data.
The specific security measures we implement must be economically proportionate to the protection needs of the data being processed. As a core activity, we continually identify, assess and handle information security risks in order to maintain and improve information security. Information security brings with it various legal, regulatory and contractual requirements, which are identified and taken into account on a continuous basis.
We have defined the following objectives on the basis of the corporate objectives and the current status of our information security level:
Information security objective | Description |
---|---|
Intensification of efforts to increase information security awareness among all employees | The goal is to further expand information and training offerings in the area of IT security and to measure their effectiveness. |
Ensuring that individual, contractual customer IT security requirements are fulfilled | Contractual customer requirements for IT security that go beyond the standard from our own contract templates are to be uniformly reviewed and approved, centrally recorded, transparently documented, communicated internally and compliance regularly monitored. |
Improving the security of our software products | As a software development company and cloud provider, constantly improving the IT security of our products is very important to us. The goal is to systematically strengthen knowledge of IT security in the development teams and to establish a cross-team group of experts who advise internally on the secure implementation of new functions and regularly carry out security tests (penetration tests) of our software products or have them carried out by third parties. |
Continuous improvement of the ISMS | With the establishment of the ISMS, the aim is to maintain the processes and improve the effectiveness of the system. |
These objectives will be reviewed and evaluated in the framework of a management review.
Security Organization
An ISMS team was established and an information security officer (CISO) was appointed by the management to achieve the information security objectives. An ISMS has been introduced throughout the company and is regularly reviewed for its effectiveness.
The management is responsible for the security of the organization. The Information Security Officer advises the management on the planning and implementation of information security in the company. Their responsibility is to report directly to the management on an ad hoc basis and minimally at least once a year.
The ISMS team is provided by the company with sufficient financial and time resources in order to receive regular training and knowledge.
Employees of the ISMS team must be involved in IT security-relevant projects (e.g. new products, site development, major IT infrastructure adjustments) at an early stage (planning phase) in order to take security-relevant aspects into account.
A data protection officer (DPO) has also been appointed to account for data protection compliance. The data protection officer has sufficient budget to fulfill their duties and is required to undergo regular training.
Security Measures
A responsible person is appointed for all processes, information, IT applications and IT systems, who determines the respective protection requirements.
Access rights are assigned as required and managed centrally.
Deputies must be set up for all responsible functions. Instructions and sufficient documentation must be provided to ensure that deputies are able to perform their tasks.
Buildings and premises are protected by adequate access controls. Access to IT systems is protected by appropriate access controls and access to data is protected by a restrictive authorization concept.
Computer virus protection programs are used wherever appropriate, in particular on mail servers, document storage locations and company PCs with administration access to customer systems. All Internet access is secured by suitable technical filters and protection mechanisms. Remote maintenance access to all internal systems and customer servers is protected by VPN connections. A comprehensive monitoring system is used to detect any impairment of the security objectives of the IT infrastructure and applications and these are quickly rectified by trained employees. Furthermore, IT users support these security measures by working in a security-conscious manner and inform the relevant departments in the event of anomalies.
Data loss can never be completely ruled out. Comprehensive data backup therefore ensures that IT operations can be resumed at short notice if parts of the operational database are lost or obviously incorrect. Information is uniformly labeled and stored in such a way that it can be retrieved quickly.
In order to limit or prevent major damage as a result of emergencies, security incidents must be responded to quickly and consistently. Emergency measures are compiled in a separate emergency preparedness concept. Our aim is to maintain critical business processes even in the event of a system failure and to restore the availability of the failed systems within a tolerable period of time.
If IT services are outsourced to external bodies, we specify concrete security requirements in the corresponding contracts. The right to control is defined. For extensive or complex outsourcing projects, we draw up a detailed security concept with specific measures.
IT users regularly take part in training courses on the appropriate use of IT services and the associated security measures. The company management supports needs-based training.
Improving Security
The ISMS is regularly reviewed to ensure that it is up to date and effective. In addition, the measures are regularly examined to determine whether they are known to the employees concerned, whether they can be implemented and whether they can be integrated into the operational process. This review is monitored by our CISO.
The management supports the continuous improvement of the security level. Employees are encouraged to pass on possible improvements or weaknesses to the relevant departments.
The desired level of security and data protection is ensured by continuously reviewing the regulations and compliance standards. Deviations are analyzed with the aim of improving the security situation and keeping it up to date with the latest IT security technology.
Central Guiding Principles
Data Classification: Company Data vs. Customer Data
We distinguish between data that we collect and store and data that customers store on the systems we operate for the customer.
We distinguish between data that we collect and store ourselves as part of our daily work (company data) and data that is held on dedicated customer systems as part of the provision of a service (operation of Atlassian applications), but which we do not otherwise work with (customer data). All proprietary information that we store about customers in CRM, ERP, booking and billing systems or in emails, chats, wikis or task software is also data containing customer information in the broader sense. Nevertheless, it is processed together with purely internal data and is therefore classified as "company data."
As we classify customer data as requiring a higher level of protection, the level of security is also higher when customers share information with us in dedicated customer systems than when it is processed in our systems (e.g. emails, extranet, Jira task management). We make the difference as clear and transparent as possible for customers and respect when customers ask us to work on customer systems, even if this entails restrictions for us. Depending on the situation, team and composition, certain information may need to be stored on our systems to ensure a smooth process. We announce these situations in advance and explain the reasoning.
Depending on the situation, team and composition, certain information may need to be stored on our systems to ensure a smooth process. We announce these situations in advance and explain the reasoning.
Usability vs. Security
A central guideline of our actions is the conscious balance between practicality and simplicity (usability) and high security. We try to use technology to increase security and usability at the same time.
We understand that usability (simplicity for users) and IT security (confidentiality, integrity and availability of data and services) often seem to contradict each other. Especially when working in customer environments, we often find that high security requirements mean that we are more concerned with gaining access to information than working on creating value for the customer. That's why we always strive to consider usability and, in case of doubt, weigh up what the appropriate solutions are for the application (what data is involved? What is its security classification?). We find a sensible solution as a team through discussion and debate and by means of documentation in our central systems that is transparent for all employees. When handling our own data, we tend towards usability. We base this trend on our corporate values and the trust we place in our employees.
Customer Data is Given Exceptional Protection.
The IT security of our customers' data is our top priority.
The security of customer data is the basis of our integrity and trust in long-term cooperation. We exclude all forms of use or exploitation that have not been expressly agreed with our customers and ensure clear and documented decisions in other cases.
When in doubt, our customers' data is always kept more secure and not simpler. Security takes precedence over usability.
Digital Before Analog
Documents should primarily not be printed out, but should instead be and remain digitized.
We are confident in our policy of storing all data in digital format because this is the only way we can be in a position to guarantee the IT security of this information. Where possible, we try to keep the data and information within the company in digital format. If we use paper, we do so solely to speed up our work processes. Paper is a temporary tool used to strengthen our visibility, presence or interaction. We are actively working on digitizing all information that is currently documented in paper form, and wherever possible we avoid storing paper unless legally required to do so. Paper is disposed of in a manner appropriate to the protection class of the information it contains.
Duty to Cooperate
The Board of Management is committed in its responsibility to support the information security objectives outlined in this guideline, and encourages all employees to also contribute towards maintaining and improving information security.
This guideline applies to all employees without exception. There is no justification for deviating from it. As a company, we will ensure that employees read and understand this guideline and document their agreement with it. We will announce and explain any amendments to it internally.
Version 1.1, Stand: 22.03.2024
Link to this Site: https://seibert.biz/informationsecurity