Information Security Management
1. Purpose, Scope, and Users
The purpose of this policy, situated at the highest level, is to define the purpose, scope, foundations, and fundamental rules for Information Security Management.
This policy applies to the entire Information Security Management System (ISMS).
Users of this document include all employees of RUD Ketten Rieger & Dietz GmbH & Co. KG, as well as relevant external parties.
2. Information Security: Basic Concepts
Confidentiality – Protection against unauthorized disclosure of information
Integrity – Protection against unauthorized alteration of information
Availability – Required information must be available to authorized parties at all times
Information Security - Maintenance of the confidentiality, integrity, and availability of information
Information Security Management System – that part of the overall management process that deals with the planning, implementation, maintenance, review, and improvement of information security
3. Management of Information Security
3.1. Objectives and Measurement
The general objectives of the Information Security Management System are:
- Availability of systems and information
- Protection of information
- Damage reduction
- Improvement of market image
These objectives align with the business objectives, strategy, and business plans of the organization. The Information Security Officer is responsible for reviewing these general ISMS objectives and defining new objectives.
Objectives for individual security measures or groups of security measures are proposed by the ISMS team and approved by management as part of the Statement of Applicability.
All objectives must be reviewed at least annually.
RUD Ketten Rieger & Dietz GmbH & Co. KG assesses and measures the fulfillment of these objectives. The Information Security Officer is responsible for determining the method by which the fulfillment of these objectives is measured. The assessment/measurement is conducted at least annually, and the Information Security Officer analyzes the measurement results and derives a management report from them. This report is jointly evaluated with management. The Information Security Coordinator is responsible for storing details of measurement methods, periodicity, and results in the measurement report.
3.2. Importance of Information Security
Successful planning, implementation, and maintenance of IT infrastructures imply fast, secure, and up-to-date access to information on which the company's success depends. Abuse of this information not only damages reputation but can also lead to legal consequences and claims for damages.
Functional information technology and a security-conscious approach to it are essential prerequisites for daily workflows, customer trust, and business partners.
3.3. Core Elements of Security Strategy
- Protection of information against all unauthorized access
- Ensuring the confidentiality of information
- Ensuring the integrity of information
- Ensuring the availability of information
- Compliance with legislative and regulatory requirements
- Developing, managing, and testing emergency plans
- Offering and conducting awareness-raising measures for information security, as well as data protection training for all employees
- Reporting and investigating actual or suspected information security breaches to the ISMS team
- Reporting and investigating actual or suspected data protection breaches to the DSMS team
3.4. Information Security Requirements
This policy and the entire ISMS must comply with both the legal requirements and the contractual obligations that are relevant to the organization in the field of information security.
3.5. Responsibilities and Organizational Structure of the ISMS
To achieve security objectives, an Information Security Officer (ISO) and an ISMS team are appointed. The ISO and the ISMS team are responsible for developing and updating the security concept and maintaining the security level. They report directly to management.
The ISMS team consists of:
- the Information Security Officer
- the Information Security Coordinator (ISC)
- the IT Responsible
The basic responsibilities for the ISMS are as follows:
- The ISO is responsible for ensuring the implementation of ISMS objectives, in accordance with this policy.
- The ISC is responsible for coordinating the operation of the ISMS and reporting on its performance.
- Management must review the ISMS at least annually or in the event of significant changes and create a record thereof. The purpose of this management review is to demonstrate the adequacy, suitability, and effectiveness of the ISMS.
- The IT Responsible is responsible for developing and implementing a training and awareness plan.
- The ISO is responsible for implementing information security training and awareness programs for employee awareness.
- The protection of the integrity, availability, and confidentiality of assets is the responsibility of the owner of the respective assets.
- All security incidents or vulnerabilities must be reported to the ISO and IT.
- Management defines how information is classified and how internal or external exchange can occur.
3.6. Authority of the Information Security Officer
With regard to the implementation of the ISMS, the Information Security Officer may request information and cooperation from various areas, provided that these are necessary for the implementation of measures and policies of the ISMS.
If the Information Security Officer identifies deviations from the measures and policies taken, he/she initiates corrective measures to restore the required status.
3.7. Guidelines Communication
The Information Security Officer must ensure that all employees of RUD Ketten Rieger & Dietz GmbH & Co.KG, as well as relevant external parties, are familiar with the core elements of this policy.
4. Support for ISMS Implementation
The management hereby declares that the implementation of ISMS and its continuous improvement will be supported with appropriate resources to fulfill all objectives mentioned in this policy.
5. Validity and Document Handling
This document is valid from 12.02.2024.
The owner of the document is the Information Security Officer, who must review and update the document at least annually. The following criteria must be considered for the evaluation of the document's effectiveness and adequacy:
- Lack of alignment of the ISMS with laws and regulations, contractual obligations, and other internal documents of the organization
- Deficiencies in the implementation and maintenance of the ISMS
- Unclear responsibilities for the implementation of the ISMS