Information Security Policy

Date (27.06.2024) Version [1.0] Revision date [27.06.2024]

Acess Digital Information Security Policy

Introduction and Purpose

Purpose: The purpose of this Information Security Policy is to establish the standards and guidelines to protect the integrity, confidentiality, and availability of the company's information assets, systems, and services provided on the Azure platform.

Scope: This policy applies to all employees, contractors, consultants, temporary staff, and other workers at the company, including all personnel affiliated with third parties. It covers all information systems, networks, and data related to delivering the the SaaS solutions to our customers. IT systems used by our employees are provided by Axess Group IT and handled by their policies.

Governance and Responsibilities

Information Security Governance

The governance of information security within [Your Company Name] is structured to ensure the protection of information assets and compliance with relevant regulations and standards. This section outlines the roles and responsibilities for managing information security.

Roles and Responsibilities

Chief Technology Officer (CTO):

Overall Responsibility: The CTO has the overall responsibility for the company's information security. This includes the development, implementation, and maintenance of the information security program.
Strategic Oversight: The CTO provides strategic oversight and ensures that security initiatives align with the company’s business objectives and compliance requirements.
Approval Authority: The CTO approves the information security policies, risk management plans, and major security initiatives.

Senior Software Developers (Security Team):

Day-to-Day Management: A dedicated team of senior software developers is responsible for the day-to-day management of information security activities. This includes implementing security measures, monitoring systems, and responding to security incidents.
Security Implementations: They ensure that security controls are properly integrated into the company’s software development lifecycle and that applications are developed following security best practices.
Incident Response: The security team is the first line of defense in responding to security incidents, conducting investigations, and implementing corrective actions.
Regular Audits: They conduct regular security audits and assessments to identify vulnerabilities and ensure compliance with internal policies and external regulations.

All Employees:

Adherence to Policies: All employees must adhere to the company’s information security policies and procedures.

Reporting Incidents: Employees are responsible for reporting any suspected security incidents or vulnerabilities to the security team promptly.
Security Awareness: Employees must participate in security awareness training to stay informed about current security threats and best practices.

Access Control

Access Control for delivered SaaS applications

Authentication for our applications are handled by the AD B2C offering from Microsoft Azure. User accounts can either be stored in our external Entra ID tenant, or use federation through OpenID connect or similar identity providers. We don’t store any credentials in databases managed by Axess Digital.

Authorization and permissions are handled by our tailored user admin system that can handle permissions based on roles pr customer and customer asset.

User account management is handled by our customer support team. Users are given permissions upon request from the customers. It is the responsibility of the customer to request revocation of permissions or termination of accounts.

Access Control for cloud infrastructure

Authentication and authorization for accessing the Azure cloud infrastructure is based on Entra ID and requires MFA.

Access Control to the cloud infrastructure is based on the principle of least privilege. Priviliged roles are inactive by default and needs to be activated for a limited period when needed.

User Account Management is handled by the CTO.

Data Protection

Data at rest Encryption

Data at rest are encrypted using build in mechanisms in the different storage services used. We use encryption keys managed by the cloud provider.

Data in transit Encryption

Data in transit is encrypted using Transport Layer Security / HTTPS. All storage accounts are configured to only accept secure connections. Unencrypted data traffic is only permitted inside secure virtual networks behind Application Gateway / Firewall.

Business Continuity and Disaster Recovery

Our inspection applications are build as “offline first” meaning they will work without being connected to the cloud. This will also allow users to continue using the services for some time even if the cloud back end is not available. This ensures business continuity while potentially incidents are handled.

Backup and recovery

All application data is backed up at least every 4 hours, allowing recovery of data if data is lost.

Virtual machine disks are backed up daily, allowing recovery of machines if needed.

Cloud Infrastructure is scripted allowing fast and consistent re-creation in the rare case of an Azure data center fails.

Regulatory Compliance

We comply with EUs General Data Protection Regulation (GDPR).

We are in the process of acquiring ISO 27001.