This policy applies to all users of information assets in the SUZUVERSE as defined in the ISMS scope. The responsibility for protecting the company's resources is the responsibility of all the employees.
This policy covers all Information Systems operated by SUZUVERSE or contracted with a third party by SUZUVERSE. The term Information Systems defines the total environment and includes, but is not limited to, all documentation, physical and logical controls, personnel, hardware (e.g. desktop, network devices, and wireless devices), software and information.
Although this policy explicitly covers the responsibilities of users, it does not cover the matter exclusively. Other SUZUVERSE Information Security policies, standards and procedures define additional responsibilities. All users are required to read, understand and comply with other Information Security policies, standards and procedures. If any user does not fully understand anything in these documents, he/she should contact the SUZUVERSE Support Team. Information Security (IS) and the concerned department/division units shall jointly resolve any conflicts arising from this policy.
2 Policy Statement
SUZUVERSE shall adopt a risk-based approach to protecting its critical information assets and client confidential information from likely and high-impact threats, and shall embed information security principles into the organizational culture making it the responsibility of each and every employee to ensure that a robust information security structure is maintained.
This policy states the intent of SUZUVERSE to identify and protect its critical information assets. The principles of security adopted by the company are:
1. Confidentiality: Information should be accessible only to authorized personnel
2. Integrity: Information should be modifiable only by authorized personnel
3. Availability: Information should be made available to personnel who need it
The risks to information and infrastructure come from many sources - users, vendors, hackers, and ex-employees. The risks from viruses and worms continue to be ever-present. In addition, Business Continuity and Disaster Recovery (BCP/DRP) plans are essential requirements, which need to be implemented in the event of any disaster so that the business critical functions continue to operate and the entire operations are recovered from the disaster within an acceptable period of time.
In such a scenario it is the responsibility of each and every employee to protect the information of the company and its customers. All processes and procedures followed within the company are also very critical and need to comply with the adopted information security principles.
4 Policy Sections and Clauses
4.1 Document Description
It is the responsibility of all the company’s employees, and users to comply with this policy and other associated security policies. The SUZUVERSE team is responsible for reviewing and updating this policy as and when required.
4.2 Objectives and Achievement Plan
|What will be done
|To minimize number of information security incidents
|People/Process & Technology
|CISO/ IT Head
|Data on Incidents reported
4.3 Security Awareness Program
It is important to implement security awareness initiatives at all levels of the organization, including senior management, middle management, team leaders, and head of the departments, support staff, and any third parties.
The information security awareness sessions will be an ongoing initiative which will ensure that all the employees and contractors are aware of the information security policies that are relevant to them. In addition, all the procedures, guidelines, and information security best practices in conjunction with other laws, regulations, and management best practices as adopted by the company.
Online annual information security awareness will be done in addition to awareness session for new joiners during onboarding and induction by respective HR
The company shall ensure that the employees and contractors in the scope of ISMS have appropriate skills and competence to do so and maintain the records of the same .
4.5 Monitoring, Measurement, Analysis and Evaluation
In addition to maintaining the information security management system, it is imperative to monitor and measure its ongoing efforts and results as well. There will be a detailed documented process to identify metrics for specific controls implemented in the company and which will also identify techniques for implementing and reviewing measurements of the identified metrics. The inputs and outputs to the measurements will be reviewed on a regular basis.
4.6 Continual improvement
A SUZUVERSE’s policy about continual improvement is to:
- Continually improve the effectiveness of the ISMS
- Enhance current processes to bring them into line with good practice as defined by ISO/IEC 27001 and related standards
- Achieve ISO/IEC 27001 certification and maintain it on an on-going basis
- Increase the level of proactivity about information security
- Make information security processes and controls more measurable to provide a sound basis for informed decisions
- Review relevant metrics periodically to assess whether it is appropriate to change them, based on collected historical data
- Review ideas for improvement at regular management meetings to prioritize and assess timescales and benefits
4.7 Compliance with legal and contractual requirements
The law of Japan shall be the governing law for the interpretation of these Terms. In addition, regarding this service, the application of the United Nations Convention on Contracts for the International Sale of Goods shall be excluded. In the event of a dispute regarding this service, the court having jurisdiction over the location of our head office shall be the exclusive jurisdictional court.
The Corporate Information Security Policy, as well as the other security policies must be periodically reviewed. This review will happen under the following circumstances:
- Once every 12 months
- If there is a significant change in the technologies in use by the company
- If there is a significant change in the external threat environment, which mandates a review of the risk profile
- If there is a significant change in client requirements/guidelines for information security
- The Information Policy will be disseminated to all the employees and contractors using email.
- All communication related with stakeholder’s media and financial markets will be done by the executive team only on a need basis over press events, conferences, emails. No employees of the organization until authorized by Mr. Jack can connect with media or financial markets
- All employees in their daily work, should operate as representatives and ambassadors of the company and are authorized to speak with clients in alignment with their project and KRA. Inside information shall be kept confidential
- Information on SUZUVERSE website shall be uploaded post approval of Mr.Jack in line with executive committee agreement
- Communication with internal and external stakeholders must be inline with organization stance and strategy and will be done on situation basis Mr.Jack are authorized to communication with external stakeholders in line with contractual requirement
- When speaking at conferences, the presentations should be checked with Mr.Jack.
Necessary disciplinary action will be taken against any employee not following the policies and procedures laid down by the company. Similarly, action will be taken against those employees encouraging/observing such an activity and not reporting the same to the concerned authority. Any employee found to have violated this policy may be subject to disciplinary action.