Information security policy

© Brandkind 16.1.2024

This policy describes the objectives, organization, responsibilities, requirements and means of implementation of information security at Brandkind Marketing Communications Finland Oy.

Objectives

It is important for Brandkind to be a reliable partner to its stakeholders, and part of this reliability is taking care of information security. We are experts in information security issues related to our field. In addition to our own operations, we help our customers take information security into account in their operations, for example in the processing of personal data.

The goal of information security is the reliable continuity of operations. In terms of information security, we take care of the primary structure consisting of confidentiality, integrity, and availability. We consider confidentiality to be a priority and always emphasize it in our operations. Time criticality, data management throughout its life cycle and compliant processing of data are areas of special consideration.

Organization of and responsibilities regarding information security

The CEO is responsible for overall information security. A separately appointed member of the Management Team is responsible for the practical implementation of information security under the CEO.

The designated owners of information systems are responsible for setting and instructing requirements related to the use of the systems. The administrators are responsible for carrying out the necessary technical measures. The owners and administrators work together with the system suppliers.

All employees are responsible for the implementation of information security. Good information security behaviour is achieved by following this policy and established guidelines. Everyday actions and small decisions play a major role in the formation of a good information security culture. All observations related to information security, even suspicions, must be reported immediately to the IT administrator and CEO.

This policy is binding for Brandkind’s own personnel, 3rd parties (subcontractors, partners, etc.) and suppliers of information systems. The severity of the consequences of a policy violation varies. The consequences of a deliberate breach of data security will lead to legal consequences based on Finnish and European Union legislation.

We ensure the information security competence of our own personnel starting from the beginning of their employment. For us, information security is everyone’s business.

Implementation of information security

The information security policy is reviewed and updated annually. It is implemented by following the information security management model developed in accordance with the requirements of this policy. Information security must be considered in all operations, including projects, internal development and operations.

Information security is developed in a goal-orientated and risk-based manner. The risk management process handles issues reported and observed in the development of information security. Related incidents are prepared for by drawing up an incident management process and practicing its implementation regularly. Incident management utilises processes formed for information security management.

The implementation of information security is monitored internally. The indicators used are the number and quality of incidents, the numbers of related training sessions and participants, and general feedback and observations. Information security observations are the subject of an annual information security development plan.

The main practices for implementing Information Security

In the matter of data and documentation, the principles of the data life cycle are followed, including all stages from creation to deletion. Data necessity assessments are carried out regularly. The classification of data uses a standardized scale. The creator of the information under consideration is responsible for its correct classification and distribution on a case-by-case basis. Access to information is granted on a need-to-know basis, not by default. The life cycle and access rights of data pay special attention to the special characteristics of data protection and customer data.

All personnel go through the basics of information security as part of their orientation, which is documented as part of the on-boarding plan. Information security-related training is organized annually for all personnel and participation is documented. Current related issues are actively communicated through internal bulletins and on the intranet. The competence of the personnel is assessed annually in connection with the preparation of the development plan.

In the implementation of technical data security, we primarily select service providers that offer cloud services. The implementation of the information security of services is ensured by means of service descriptions and agreements. If necessary, more detailed descriptions of the implementation of the services will be requested. Employees use managed devices and pre-approved applications with instructed operating principles and requirements.