Purpose and Scope
This information security policy defines the purpose, principles, objectives and basic rules for information security management.
This document details the organization's ("Shuffl") policies to ensure protection of its information assets, and to allow the use, access, and disclosure of such information in accordance with appropriate standards, laws, and regulations. This document also defines procedures to implement high level information security protections within Shuffl including definitions, procedures, responsibilities and performance measures (metrics and reporting mechanisms). This policy applies to all Shuffl employees, customers, consultants, and external parties who use information processing facilities (hereinafter referred to as “users”) and such users are required to comply with this information Security policy. This policy must be made readily available to all users.
Background
This policy defines the high level objectives and implementation instructions for Shuffl's information security program. It includes the organization’s information security objectives and requirements; such objectives and requirements are to be referenced when setting detailed information security policy for other areas of the organization. This policy also defines management roles and responsibilities for the organization’s Information Security Management System (ISMS).
Shuffl will develop, implement, maintain, and continually improve policies, procedures and controls at all best levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that the information is available to authorized persons as and when required.
Finally, this policy references all security controls implemented within the organization. Within this document, the following definitions apply:
Confidentiality: a characteristic of information or information systems in which such information or systems are only available to authorized entities.
Integrity: a characteristic of information or information systems in which such information or systems may only be changed by authorized entities, and in an approved manner.
Availability: a characteristic of information or information systems in which such information or systems can be accessed by authorized entities whenever needed.
Information Security: the act of preserving the confidentiality, integrity, and, availability of information and information systems.
Information Security Management System (ISMS): the overall management process that includes the planning, implementation, maintenance, review, and, improvement of information security.
References
Policy
Managing Information Security
Shuffl's main objectives for information security include the following:
Maintaining a framework for secure systems that can be used to provide a consistent, secure, and high quality service to our customers
Reduced risk of data breaches, incidents, and compromises
Continuous compliance with legal, regulatory, and contractual requirements
Shuffl's information security are always in line with its business objectives, strategy, and plans.
Shuffl to review all ISMS objectives at least once per year.
Shuffl to measure the fulfillment of all objectives. The measurement will be performed at least once per year. The results must be analyzed, evaluated, and reported to the management team. If there are unsatisfactory conditions, appropriate remediations will be made.
Personal Data Protection
Shuffl will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
Shuffl to follow strict guidelines: a) to encrypt personal data in its lifecycle including transmission and at-rest (b) to help ensure the ongoing stability, confidentiality, integrity, availability and hardiness of platform services; (c) to restore timely access to personal data following an incident; and (d) for regular testing of organizational and technical safeguards in place.
Information Security Requirements
This policy and the entire information security program must be compliant with legal and regulatory requirements as well as with contractual obligations fulfilled by the organization.
All partners, employees, consultants, and contractors, full-time or part-time are subject to information security policy, and must read and acknowledge all information security policies.
Data encryption policies and safeguards for the organization is defined in the Encryption Policy (Reference 1).
The process of selecting information security controls and safeguards for the organization is defined in the Risk Assessment Policy (Reference 3).
Security requirements for handling information security incidents are defined in the Security Incident Response Policy (Reference 4).
Disaster recovery and business continuity management policy is defined in the Disaster Recovery Policy (Reference 2).
Requirements for information system availability and redundancy are defined in the Availability Policy (Reference 5).
Non-compliance
This policy is accessed by and distributed to all Shuffl partners, employees, consultants, and contractors, full-time or part-time. Any organization representative found in violation of policies may be subject to disciplinary action and/or legal action.
Standard Controls Satisfied
TSC CC9.9