Epinion Information Security Policy
The core of Epinion’s business is data processing and analysis. Handling information and data correctly and in compliance with national and international regulation is what gives us our license to operate. Inability to do so will harm not only current business but also our brand and future business. Because of this, we regard information security as a matter of great importance. We rely on our clients’ trust in us, and in our ability to handle data correctly.
This document constitutes Epinion’s Information Security Policy and overall Information Security Management System, and goals. As such it outlines Epinion’s commitment to information security, including the protection of data which we process and analyze. Being able to protect personal data collected from respondents, employees, partners and clients is of vital interest of Epinion, and thus Information Security is of strategic interest and linked to the on-going success of Epinion.
This Information Security Policy aims at defining the proper and secure use of Epinion’s IT-systems. Its goal is to protect Epinion and users to the maximum extent possible against security threats that could jeopardize confidentiality, integrity, availability, privacy, reputation and business outcomes.
To support the implementation of a Security aware organization, this Policy is supported by a Security Handbook, which in greater detail defines the specific Information Security controls, which furthermore is supported by operational procedures to enable a uniform day-to-day implementation of the Security controls, within Epinion.
This Information Security Policy, the handbook and procedures (“The Information Security framework”) applies to all the users in Epinion, including temporary users, visitors with temporary access to services as well as partners and clients with limited or unlimited access to services. Compliance with policies in this document is mandatory.
2. Business and security goals
Epinion’s core business is based on working with and analyzing data of both sensitive and non-sensitive character.
To maintain a high level of credibility with clients, respondents, partners and employees, Epinion is committed to create and maintain a balanced Information Security level.
A balanced Information Security level is based on a thorough understanding of the opportunities and risks involved in working with high volumes of data and based on this implementing a balanced Information Security framework which mitigates risks to an acceptable level and still enables the delivery of valuable data analysis and insight to Epinion’s clients.
The key goals of Epinion’s Information Security framework are:
- To create and maintain a risk model, which enables an understanding of the Risks towards Epinion and Epinion’s business
- To create and maintain an effective and efficient Information Security framework based on ISO 27001/2, which adequately balances risks and possible safeguards, and thus supporting Epinion’s overall business strategy and model
- Establish an organizational culture that ensures Information Security is embedded in activities and business processes, and not as an afterthought or add on
- To support legal, statutory and contractual compliance with for instance EU-General Data Protection Regulation (Regulation (EU) 2016/679) and the supplementing Danish legislation (Databeskyttelseslov)
3. Responsibility and formal organization
To ensure a companywide adaptation and ongoing support of Information Security in Epinion, Epinion’s General Management Team (GMT = the CEO and Managing Directors per business unit) is responsible for understanding the risks Epinion is facing and to ensure the continuous organizational implementation and maintenance of an adequate Information Security level.
The individual manager/team leader is responsible for raising Information Security awareness levels and to ensure compliance with The Information Security Framework within his/her own group of personnel.
The Head of IT is responsible for ensuring and maintaining an IT-infrastructure which both protects Epinion’s data and supports the ongoing operation of Epinion.
The IT team in general share an obligation to keep the security standards high. Given their education and experience, they are expected to lead the way for the rest of the company on all security compliance matters.
IT system owners are responsible for the security compliance on their system(s), including understanding an ensuring compliance with relevant laws.
The individual employee is responsible for working within The Security Framework to protect Epinion and Epinion’s data to the best of their ability
4. Risk Assessment
The GMT is overall responsible for risk management, and thus to ensure, that Epinion’s Information Security framework always meet the risks facing Epinion.
Risk assessments must be conducted at least once a year or on major changes in Epinion’s way of doing business, data being analyzed, or IT-platform used.
The assessment must be derived from:
- an understanding of Epinion’s overall business processes, the systems used, and the data processed
- how data flows between clients, Epinion and third parties
4.1 Outsourcing and Vendor Management
The risks in sharing information and/or system access to third parties (including outsourced business functions) must be assessed and reviewed at least annually. Third party vendors should be assessed as to their security policies and procedures, and the level of access they possess to Epinion’s data and systems.
5. Incident Management and Business Continuity
Any GDPR-related incident must be reported through a Security Incident process and must be managed according to the GDPR-Incident Response Plan of Epinion. The plan must cover technical, legal and administrative aspects of incident management, including any relevant regulatory requirements (data breach notification laws, for example) as well as compliance requirements.
In case of major incidents, the incident must be escalated to be handled by the GMT.
The Operations Director is accountable for ensuring the development and ongoing review of the Security Incident process and developing a Business Continuity Plan when this is needed.
Exceptions to The Information Security Framework may only be authorized by the CEO.
Once per quarter CMT must be informed about all outstanding exceptions and their current status.
Failure to comply with The Information Security Framework could harm Epinion’s business and reputation and furthermore relations with clients, public authorities and partners.
Behavior contrary to The Information Security Framework that could damage Epinion’s security or reputation will be taken very seriously and may result in instant dismissal and potentially a claim for damages.
If any illegal activities are discovered, they will be reported to the management and the relevant authority.
Berit Didriksen, CEO
9. Version History
Version 1 (1. april 2018)
Version 1.1 (20. maj 2018)
Version published and shared with employees
Version 1.2 (10. august 2019)
Minor internal process updates of various sections
Version 1.3 (1. februar 2021)
Minor changes on the incident response section