Creation Date (27.06.2024) Version [1.1] Revision date [2.12.2025]
1. INTRODUCTION AND PURPOSE
Purpose: The purpose of this Information Security Policy is to establish the standards and guidelines to protect the integrity, confidentiality, and availability of the company's information assets, systems, and services provided on the Azure platform.
This policy applies to all employees, contractors, consultants, temporary staff, and other workers at the company, including all personnel affiliated with third parties. It covers all information systems, networks, and data related to delivering the SaaS solutions to Axess Digital's customers. IT systems used by Axess Digital's employees are provided by Axess Group IT and handled according to their policies.
2. GOVERNANCE AND RESPONSIBILITIES
2.1 Information Security Governance
The governance of information security within Axess Digital is structured to ensure the protection of information assets and compliance with relevant regulations and standards. This section outlines the roles and responsibilities for managing information security.
2.2 Roles and Responsibilities
Chief Technology Officer (CTO):
Overall Responsibility: The CTO has the overall responsibility for the company's information security. This includes the development, implementation, and maintenance of the information security program.
Strategic Oversight: The CTO provides strategic oversight and ensures that security initiatives align with the company’s business objectives and compliance requirements.
Approval Authority: The CTO approves the information security policies, risk management plans, and major security initiatives.
Senior Software Developers (Security Team):
Day-to-Day Management: A dedicated team of senior software developers is responsible for the day-to-day management of information security activities. This includes implementing security measures, monitoring systems, and responding to security incidents.
Security Implementations: They ensure that security controls are properly integrated into the company’s software development lifecycle and that applications are developed following security best practices.
Incident Response: The security team is the first line of defence in responding to security incidents, conducting investigations, and implementing corrective actions.
Regular Audits: They conduct regular security audits and assessments to identify vulnerabilities and ensure compliance with internal policies and external regulations.
All Employees:
Adherence to Policies: All employees must adhere to the company’s information security policies and procedures.
Reporting Incidents: Employees are responsible for reporting any suspected security incidents or vulnerabilities to the security team promptly.
Security Awareness: Employees must participate in security awareness training to stay informed about current security threats and best practices.
3. ACCESS CONTROL
3.1 Access Control for delivered SaaS applications
Authentication for Bridge applications is handled by the AD B2C offering from Microsoft Azure. User accounts can either be stored in Axess Digital's external Entra ID tenant or use federation through OpenID Connect or similar identity providers. Axess Digital does not store any credentials in its databases.
Authorization and permissions are handled by Axess Digital's tailored user admin system that can handle permissions based on roles per customer and customer asset.
User account management is handled by Axess Digital's customer support team. Users are given permissions upon request from the customers. It is the responsibility of the customer to request revocation of permissions or termination of accounts.
3.2. Access Control for Cloud infrastructure
Authentication and authorization for accessing the Azure cloud infrastructure are based on Entra ID and require MFA.
Access Control to the cloud infrastructure is based on the principle of least privilege. Privileged roles are inactive by default and need to be activated for a limited period when needed.
User Account Management is handled by the CTO.
4.1 Data at rest Encryption
Data at rest is encrypted using built-in mechanisms in the different storage services used. Axess Digital uses encryption keys managed by the cloud provider.
4.2 Data in transit Encryption
Data in transit is encrypted using Transport Layer Security / HTTPS. All storage accounts are configured to only accept secure connections. Unencrypted data traffic is only permitted inside secure virtual networks behind the Application Gateway / Firewall.
4.3 Business Continuity and Disaster Recovery
Bridge inspection applications are built as “offline first”, meaning they will work without being connected to the cloud. This will also allow users to continue using the services for some time, even if the cloud back end is not available. This ensures business continuity while potentially incidents are handled.
4.4 Backup and recovery
All application data is backed up at least every 4 hours, allowing recovery of data if data is lost.
Virtual machine disks are backed up daily, allowing recovery of machines if needed.
Cloud Infrastructure is scripted allowing fast and consistent re-creation in the rare case of an Azure datacenter failure.
4.5 Regulatory Compliance