Information Security Policy
- January 4, 2024
1. Introduction
This Information Security Policy outlines the framework and guidelines for managing and securing information assets at TableAir. The policy ensures compliance with ISO 27001:2022 standards, GDPR, NIS2, SOC2, DORA, ITIL, and CIS Critical Security Controls.
2. Objective
The objective of this policy is to protect TableAir’s information assets against all internal, external, deliberate, or accidental threats. It aims to ensure the confidentiality, integrity, and availability of information.
3. Scope
This policy applies to all employees, contractors, consultants, temporary staff, and other workers at TableAir, including all personnel affiliated with third parties. It covers all information assets owned, leased, or used by TableAir.
4. Roles and Responsibilities
– Chief Information Security Officer (CISO): Overall responsibility for information security.
– Information Security Team: Implements and enforces security policies.
– Department Heads: Ensure compliance within their respective departments.
– Employees and Contractors: Adhere to the information security policies and procedures.
5. Information Security Management System (ISMS)
TableAir has implemented an ISMS that complies with ISO 27001:2022. The ISMS framework includes:
– Risk Assessment and Treatment
– Information Security Objectives
– Monitoring and Measurement
– Continual Improvement
6. Risk Management
TableAir conducts regular risk assessments to identify and mitigate risks to information assets. Risks are assessed based on their potential impact and likelihood, and appropriate controls are implemented to manage them.
7. Access Control
Access to information assets is granted based on business requirements and the principle of least privilege. User access rights are reviewed regularly, and access is revoked immediately upon termination or change of role.
8. Data Protection
TableAir is committed to protecting personal data in compliance with GDPR. Personal data is processed lawfully, fairly, and transparently, ensuring data accuracy and integrity.
9. Physical and Environmental Security
Physical access to TableAir’s facilities is controlled to prevent unauthorized access, damage, and interference to information and information processing facilities.
10. Communications and Operations Management
Operational procedures and responsibilities are documented and maintained to ensure the secure operation of information processing facilities. This includes change management, backup, and network security management.
11. Incident Management
All security incidents, weaknesses, and breaches must be reported to the Information Security Team. An incident response plan is in place to manage and remediate incidents promptly.
12. Business Continuity Management
TableAir maintains a business continuity plan to ensure the availability of critical services in the event of a disruption. Regular testing and reviews of the plan are conducted.
13. Compliance
TableAir complies with all relevant legal, regulatory, and contractual requirements related to information security. Regular audits and reviews are conducted to ensure ongoing compliance.
14. Awareness and Training
All employees receive regular information security awareness training. Specialized training is provided for roles with specific information security responsibilities.
15. Review and Revision
This policy is reviewed annually or upon significant changes to ensure its continuing suitability, adequacy, and effectiveness. Any amendments are approved by the CISO.
Approval
This Information Security Policy is approved by:
Giedrius Gervickas, CEO
TableAir, UAB
Date: 2024-01-04