This Information Security Policy establishes the framework for the protection of information assets within our organization, in compliance with the requirements of ISO 27001 and SOC 2 certifications. It outlines the management's commitment to information security, defines the roles and responsibilities, and provides guidelines for the implementation and maintenance of an effective information security management system (ISMS).
This policy applies to the use of information, electronic and computing devices, and network resources to conduct Coolset BV business or interact with internal networks and business systems, whether owned or leased by Coolset BV, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at Coolset BV and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with Coolset BV policies and standards, and local laws and regulations.
This policy applies to all employees, contractors, and third-party users who have access to our organization's information assets, whether they are stored electronically or in physical formats.
We are committed to protecting the confidentiality of information assets by implementing appropriate access controls, encryption, and secure handling procedures. Unauthorized access, disclosure, or use of confidential information is strictly prohibited.
We ensure the integrity of information assets by implementing controls to prevent unauthorized modification, destruction, or corruption. This includes implementing change management procedures, regular backups, and maintaining data accuracy and consistency.
We take nightly backups of our databases with a 7 day data retention period, and annual backups of our databases with a 2 year retention period. Backups can be restored from within Google Cloud Platform (GCP).
We strive to ensure the availability of information assets to authorized users when needed. We implement appropriate measures to prevent and mitigate the impact of incidents that could affect the availability of our systems, applications, and data.
We are committed to complying with all applicable laws, regulations, and contractual obligations regarding information security. We regularly assess our systems and processes to ensure compliance and take prompt action to address any identified non-compliance.
We are dedicated to continually improving our information security management system to adapt to evolving threats and vulnerabilities. We actively monitor and assess the effectiveness of our controls, implement necessary improvements, and provide relevant training and awareness programs to our employees.
The following security standards shall govern access to Coolset BV networks and network services:
We implement robust access controls to ensure that information assets are only accessed by authorized individuals. Access rights are granted based on the principle of least privilege, ensuring that individuals have the minimum privileges necessary to perform their job responsibilities.
User access is managed, where possible, through a central authentication system, and strong authentication mechanisms, such as passwords and multi-factor authentication (MFA), are enforced.
We review and update user access rights to align with changes in job roles or responsibilities every six months. Tools where access cannot be controlled via Google Admin and Single Sign On (SSO) are added to a separate access control document, which is accounted for in onboarding and offboarding procedures. Such tools may not have MFA in place.
All users are required to report known or suspected security events or incidents, including policy violations and observed security weaknesses. Incidents shall be reported immediately or as soon as possible by Slack (internal) or email (external) to security@coolset.com.
Slack messages and emails should describe the incident or observation along with any relevant details.
Our Whistleblower Policy is intended to encourage and enable employees and others to raise serious concerns internally so that we can address and correct inappropriate conduct and actions. It is the responsibility of all employees to report concerns about violations of our code of ethics or suspected violations of law or regulations that govern our operations.
It is contrary to our values for anyone to retaliate against any employee or who in good faith reports an ethics violation, or a suspected violation of law, such as a complaint of discrimination, or suspected fraud, or suspected violation of any regulation. An employee who retaliates against someone who has reported a violation in good faith is subject to discipline up to and including termination of employment.
Anonymous reports may be submitted via Coolset’s Whistleblower channel available to all employees.
All end-user devices (e.g., mobile phones, tablets, laptops, desktops) must comply with this policy. Employees must use extreme caution when opening email attachments received from unknown senders, which may contain malware.
System level and user level passwords must comply with the Access Control Policy. Providing access to another individual, either deliberately or through failure to secure a device is prohibited.
All end-user, personal (BYOD) or company owned devices used to access Coolset BV information systems (i.e. email) must adhere to the following rules and requirements:
6. Clear Screen Clear Desk Policy
Users shall not leave confidential materials unsecured on their desk or workspace, and will ensure that screens are locked when not in use.
Remote working refers to any situation where organizational personnel operate from locations outside the office. This includes teleworking, telecommuting, flexible workplace, virtual work environments, and remote maintenance. Laptops and other computer resources that are used to access the Coolset BV network must conform to the security requirements outlined in Coolset BV's Information Security Policies and adhere to the following standards:
Coolset BV proprietary and customer information stored on electronic and computing devices, whether owned or leased by Coolset BV, the employee or a third party, remains the sole property of Coolset BV for the purposes of this policy. Employees and contractors must ensure through legal or technical means that proprietary information is protected in accordance with the Data Management Policy. The use of Google Drive for business file storage is required for users of laptops or company issued devices. Storing important documents on the file share is how you “backup” your laptop.
You have a responsibility to promptly report the theft, loss, or unauthorized disclosure of Coolset BV proprietary information or equipment. You may access, use or share Coolset BV proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties. Employees are responsible for exercising good judgment regarding the reasonableness of personal use of company-provided devices.
For security and network maintenance purposes, authorized individuals within Coolset BV may monitor equipment, systems and network traffic at any time.
Coolset BV reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities with properly documented Management approval. Under no circumstances is an employee of Coolset BV authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing Coolset BV-owned resources or while representing Coolset BV in any capacity. The list below is not exhaustive, but attempts to provide a framework for activities which fall into the category of unacceptable use.
The following activities are strictly prohibited, with no exceptions:
When using company resources to access and use the Internet, users must realize they represent the company and act accordingly.
The following activities are strictly prohibited, with no exceptions:
Senior management is responsible for providing leadership and support for the implementation and maintenance of the ISMS. They ensure that sufficient resources are allocated, establish the organization's security objectives, and promote a culture of information security throughout the organization.
The ISO is responsible for overseeing the implementation, maintenance, and improvement of the ISMS. They ensure that information security risks are identified and managed, coordinate security initiatives, and provide guidance to employees on security matters.
All employees are responsible for complying with this policy and associated security procedures. They are required to exercise due care in handling information assets, report security incidents promptly, and participate in security training and awareness programs.
Bianual assessments and audits are conducted to ensure compliance with this policy, applicable laws, and regulations. These assessments may include internal audits, external audits, and security testing activities.
An incident management process will be implemented to promptly respond to and resolve security incidents. All employees are required to report any actual or suspected security incidents to the designated authority. See SOP-001.
The effectiveness of the ISMS and compliance with this policy will be monitored on an ongoing basis. Biannual reviews will be conducted to identify areas for improvement and implement corrective actions.
This policy will be reviewed every six months to ensure its ongoing suitability, adequacy, and effectiveness. Any necessary updates or revisions will be made to reflect changes in the organization's information security requirements, regulatory environment, or best practices.