Security Policy

Purpose

With its Policy on Information Security the Board of Directors aims to involve "Sirma Business Consulting" JSC to the core values ​​and principles laid down in the Guidelines for the Security of Information Systems and Networks Towards a Culture of Security of the Organization for Economic Cooperation and Development, namely,

Awareness

The staff, customers, suppliers, subcontractors and all other participants in the information sharing should be aware of the need for security of information systems and networks and to contribute to improving security.

Responsibility

All participants in the information exchange are responsible for the security of information systems and networks.

Response

All participants in the information exchange must act promptly and cooperate with each other in order to prevent, detect and respond to security incidents.

Risk assessment

The risks to information security should be assessed.

Security design and implementation

Security should be included as an essential element of information systems and networks.

Security management

Security should be achieved through the implementation of comprehensive management approach.

Reassessment

Security of information systems and networks should be reviewed and re-evaluated and if necessary to be brought changes in the Policy, procedures, practices and measures.

The implementation of this policy is essential to ensure the proper and uninterrupted performance of the provided IT services.

With the Policy on Information Security "Sirma Business Consulting" JSC aims to achieve the following:

  • To protect the information from unauthorized access
  • To maintain the confidentiality of information
  • Non-disclosure of information to unauthorized persons, even due to negligence or accidental error
  • To keep the information intact from unauthorized changes
  • To provide information to authorized persons whenever they need it
  • More accurate regulatory compliance
  • Development, implementation and practical examination of contingency plans of security
  • Training on information security of all participants in the information exchange
  • Documentation and investigation of all suspected breaches of information security

Feasability

With this policy the Board of Directors expresses its determination to introduce a comprehensive system for protecting information and related assets from any threats, both external and internal, regardless of whether they are intentional or unintentional, in the offices of "Sirma Business Consulting" JSC in the country, or outside the country at customers premises, as well as anywhere else the information is found and related to it assets of the Company.

The entire staff of "Sirma Business Consulting" JSC is responsible for the implementation of this Policy.

The Board of Directors is committed to providing the necessary resources and support the efforts of everyone involved in the information exchange to achieve this Policy.

Key aspects

The main directions of information security in which this policy will seek implementation are:

  • Protection of information, owned by clients or other third parties
  • Protection of personal data
  • Protection of information and related assets of the Company
  • Ensuring confidence among all stakeholders about the reliability of information management

Tasks

The Board of Directors has appointed the Executive Directors to organize the following:

  • Definition of information and related assets, their vulnerabilities and threats to which they may be exposed and accurate assessment of the risks.
  • Ensuring compliance with the requirements of:
    • The Constitution, laws, regulations thereto and other applicable laws
    • Contracts signed and accepted customer requirements
    • All internal rules "Sirma Business Consulting" JSC
    • International standards of family ISO / IEC27xxx
  • Issuance of Objectives for Information Security, which underlie the basic eligibility criteria in assessing risks.
  • Risk management for information security within the established limits of acceptability.
  • Control of "Sirma Business Consulting" JSC for the implementation of this policy and regular reporting on the status and implementation during the review of the system for managing information security.

Key areas

In furtherance of this policy rules for its implementation in the following areas should be developed:

  • Physical security
  • Control of the access to systems and data
  • Education and training in security
  • Private and public electronic networks, systems and services
  • Rules of conduct of participants in the information exchange
  • Backup
  • Mobile devices
  • Storage and disposal of confidential information
  • Protection from malicious code
  • Planning of the continuity of information security
  • Relationships with:
    • Customers
    • Suppliers and subcontractors
    • Other stakeholders
    • Bodies of state and local government
    • Other important aspects of security

Responsibilities

With this policy the Board of Directors takes responsibility to assign and require full implementation of the principles embodied in it for managing of information security in "Sirma Business Consulting" JSC. The executive directors will require its application in the daily work of the Company and will recommend it be updated to the Board of Directors.

The Board of Directors will periodically review this policy and if necessary make changes to ensure that it is suitable for the activities performed and that it continues to contribute to the reliable protection of the information in full compliance with all applicable legal requirements and voluntarily adopted ones.

The information security officer is called to assist the Executive Directors for the implementation of this policy by introducing and implementing the necessary rules, which are documented in the Manual, Rules and Instructions.

All participants in the information exchange are required:

  • To comply with the rules specified in the documentation of the Management system of information security and other internal documents of the Company.
  • To assist with personal contribution to the implementation of this Policy.
  • To report on the observed weaknesses in information security.

All questions regarding this policy stakeholders might have should contact the Executive Directors and Information Security Officer, whose clarification and guidance are required to comply with exchanging information process with "Sirma Business Consulting" JSC.

Certificate of Approval Information Security management System 374.9 KB download file

Quality Policy (Bulgarian Version) 470.1 KB download file