INFORMATION SECURITY POLICY OF ENCRYPTED EMAIL FINLAND LTD

The information security policy of Encrypted Email Finland Ltd describes the objectives, responsibilities, and implementation of the company’s information security.

Goal of information security

The goal of ensuring information security is to:

  • secure the uninterrupted functions of the key information systems for the company’s operations;
  • secure the constant availability of the services produced for the customers;
  • prevent unauthorized use of information (that of the company and customers) and information systems; and
  • prevent the distortion and destruction of information,
  • maintaining the company's reputation.

Information security responsibilities

The CEO of the company is responsible for the realization of information security and compliance with requirements of information security management system. The CEO defines the responsibilities and authorities of roles critical to information security based on the proposal of the Information Security Officer, and appoints individuals to these roles, including a person who reports on the performance of the information security management system to the CEO.

The company’s information security team proposes and CEO confirms the valid information security policy based on the risk management policy confirmed by the Board.

The Information Security Officer is responsible for the administration and development of the company’s information security management system. The Information Security Officer presents the updates of the information security management system for reviewing to the information security team, and further for confirmation by the CEO.

The company complies with internal and external information security requirements and constantly improves its information security.

All of the company’s employees and subcontractors must comply with the company’s information security policy. In the service agreement, customers are expected to comply with information security requirements when using the Securedmail service.

Implementation of information security

The information security policy is implemented as follows:

  • the company has and complies with a written information security management system based on the ISO/IEC 27001 standard and the Katakri criteria, which is followed;
  • the employees and subcontractors and, where applicable, customers of the company are informed of the company’s information security policy as well as safe use of information systems and data, the realization of which is required and monitored;
  • the employees and subcontractors and, where applicable, customers of the company are informed of any changes in the information security policy and safe use; and
  • any problems and threats related to information security are addressed immediately.

Supervision and monitoring

Maintaining and improving the information security level requires continuous monitoring of operations, the content and reporting of which are described in the company's data security management system.

Processing of information security events

The company has the procedures described in the data security management system for detecting and handling information security deviations and disturbances. Acting against the information security policy and guidelines is counted as a data security violation. Procedures have been defined for handling violation situations.