Information Security Management System (ISMS)
Parthian Technologies' (the “Company” or “Parthian”) commitment to information security is provided for in its Information Security Policy (the “Policy”). Information security is aligned with the organization’s business goals and will take into account the internal and external issues affecting the organization and the requirements of interested parties.
SCOPE
This policy applies to all top management, staff, contractors, and third-party employees under contract, who have any access to, or involvement with, the business processes, information assets, and supporting IT assets and processes covered under the scope of ISMS.
ISMS POLICY
- Parthian is committed to the development and maintenance of an Information Security Management System (“ISMS”) and has developed this Policy to:
Provide a framework by which the confidentiality, integrity, and availability of the Company’s information assets can be maintained. - Employees are to comply with the policy and to be adequately trained in the
Company’s standards and security procedures. - Ensure that all breaches of information security are reported, investigated,
and appropriate action is taken where required. - Ensure that supporting ISMS policies and procedures are regularly reviewed
and continual improvement is maintained to ensure progressive good
working practices and procedures. - Optimize the management of risks, by preventing and minimizing the impact
of Information Security incidents. - Ensure that all legal and regulatory standards are met.
Occasionally the Information Security Policy adopted will have to be updated to keep up with the most current regulations. When that happens, we will be sure to keep you informed and give you the links explaining the content of the changes. To complement the ISMS Policy, policies, principles, procedures, and guidelines for the Company will be made available in both print and online forms through an intranet system.
Information Security Requirements
With the internal business and cloud service clients, a precise criteria of information security requirements will be agreed upon and maintained, and all ISMS work will be focused on meeting those criteria. Legislative, regulatory, and contractual agreements will also be documented and included into the planning process.
The Company’s ISMS' key idea is that controls are implemented in response to business needs, which will be conveyed to all employees via team meetings and briefing documents on a regular basis.
Human Resources
Based on proper education, training, abilities, and experience, the Company will ensure that all personnel involved in information security are competent. The required skills will be determined and assessed on a regular basis, as well as an assessment of current skill levels within the Company. Training requirements will be identified, and a strategy will be implemented to guarantee that the appropriate skills are in place.
The HR department will keep track of training, education, and other necessary data to
document individual skill levels.
Roles and Responsibilities
The table below lists the roles with the overall responsibility for information security:
| Role | Responsibilities |
|---|---|
| ISMS Manager | The ISMS Manager is responsible for maintaining, updating, and monitoring compliance with the requirements of the information security policy. The ISMS Manager drives the information security initiatives within the organization. The Information Security Management Systems Manager has the overall responsibility for ensuring that the Information Security Management System conforms to the requirements of ISO27001. The ISMS Manager reports to the top management of of the Company. |
| Top Management | Top management supports the ISMS Manager by deciding upon the issues elevated to it by the ISMS Manager and making sure that all intentions of the Information Security Policy are being met in full. |
| Board | The Board is responsible for overseeing that all ITrelated services, new ones as well as the existing ones, are and remain, among other things, in compliance with the Information Security Policy. |
| System Administrators (SA) | The role of the System Administrator (SA) is to provide the necessary resources, which will enable secure, reliable, and controlled data processing. The SA will manage the implementation, control, and maintenance of all facilities necessary to enable the high standards of IT services required. |
| Employees | Comply with security policies and inform the ISMS about any attempted security breaches. |
Information Classification
To ensure the appropriate management of all information assets and overall information security thereof, Parthian Technologies defines three information security classifications:
| Information Type | Definition |
|---|---|
| Confidential | Confidential information is all information not to be disclosed without the permission of the owner. This information is of high specific or strategic value. |
| Restricted | Restricted information is all information needed and generated for conducting or acquiring on behalf of the company’s day-to-day business operations. |
| Public | Public information is all information intended for disclosure and distribution to the public. However, public information must be protected by copyrights. |
Paper-based information must thereof be marked visibly according to its classification, whereas electronic information is mainly classified through access rights and password security, as well as system security. Classification of business and work-related verbal information and conversations must be ensured by the overall awareness of company staff according to this policy.
Awareness
Awareness of Parthian Technologies' information security policy is championed by the ISMS Manager with the support of management. Employees are trained on information security at planned intervals to ensure everyone is kept updated with trends in the cybersecurity space. This however includes measures for responding to threats and well-thought-out strategies to mitigate these cyber risks.
Preserving
This means that management, all full-time or part-time Employees, sub-contractors, project consultants and any external partners or other parties have, and will be made aware of, their responsibilities to preserve information security, to protect data, to report security breaches (in line with the policy and procedures) and to act in accordance with the requirements of the ISMS. The consequences of security policy violations are described in the Company’s disciplinary policy. All Employees will receive information security awareness training and more specialized Employees will receive appropriately specialized information security training.
Violation and Sanctions
Employees are responsible for protecting the company’s information assets and complying with the Information Security Policy. Employees must report violations of the principles defined herein or general breaches of information security to management through the ISMS Manager immediately. Details and circumstances of all violations must be investigated by the ISMS Manager and reported to management.
Sanctions thereof must then be determined by management. Concealment of violations of the principles defined herein or general breaches of information security must also be sanctioned.
Reporting
Reporting on Information Security events is done as defined in the Information Security Incident Management Procedure. Regular reporting on Information Security matters for purposes of steering and overall management is done on an annual basis.
Review of Policy
This Policy and underlying principles will be reviewed annually by the Board, to ensure its continued application and relevance.