RISK | Policy för informationssäkerhet [38]

RISK | Policy för informationssäkerhet


Här finns en policy för informationssäkerhet och denna mall är på ENG. Genomgång på AUDIO/VIDEO på svenska.


1. Introduction

This Information Security Policy is adopted for all group companies within COMPANY AB, reg.no 55xxxxx-xxx (“COMPANY”).

2. Purpose

The purpose of this Information Security Policy is to create a framework and guidelines to control the corporate information and manage the risk of mis-disclosure of any corporate information or data.The purpose of this Information Security policy is to:

  • Set the general principles
  • Provide clarity in the roles, and responsibilities
  • Set the corporate standard for classification of documents’ and data
  • Give guidance for the organization
  • Set the framework and guidance for follow up and reporting from the finance department.

3. General principles

  • Information should be classified according to an appropriate level of confidentiality, integrity and availability, see below Information Classification.
  • Management and staff in Corporate functions at COMPANY have particular responsibilities for information and must ensure the classification of that information, must handle that information in accordance with its classification level.
  • All employees must handle information appropriately and in accordance with its classification level.
  • Information should be both secure and available to those who are authorized in accordance with its classification level. Information will be protected against unauthorized access and processing in accordance with its classification level.

4. Information classification &  Access

  • Confidential | Normally accessible only to specified executives and employees in corporate functions. Should be marked ”confidential” and saved separately from information for Internal Use and Public information. Examples; financial reports, business critical projects and insider information, see Insider Policy.
  • Confidential information should be protected by strong passwords and be encrypted outside  of the COMPANY’s data storage.
  • Internal Use | Only available within the organization, information should not be shared outside the COMPANY. Example; internal mail, chat, documentation of projects or business development.
  • Public | Information disclosed to the public, available on the Corporate website. Information to be shared outside the COMPANY after disclosure on the Corporate web.

5. Awareness and incident handling

  • Any security breach could lead to the possible lost of confidentiality, integrity and availability of insider information, confidential information och or personal data. [ONLY LISTED COMPANIES The loss or breach of confidentiality of insider information is an infringement of the Market Abuse Regulation, and may result in in a disciplinary action from the FSA or criminal action against the COMPANY- only listed companies] The loss or breach of confidentiality of personal data is an infringement of the General Data Protection Regulation, and may result in criminal or civil action against the COMPANY.
  • If an employee is aware of an information security incident then they must report it to the CEO or CFO via mail or phone.

This policy is proposed to be adopted on board meeting in xxxx 201X and should be reviewed in xxxx  201x ahead of the Year-End.

The CFO is responsible for this policy.