Lopos Data Security Policy

Lopos Information Security policy

 

Index

1 Introduction and purpose

1.1 Importance of Information Security

1.2 Applicability

1.3 Policy Review

1.4 Compliance and Consequences

1.5 Point of Contact

2 Scope

2.1 Data Generation:

2.2 Data Storage:

2.3 Data Visualization:

2.4 Access and User Accounts:

2.5 Third-Party Access and Integration:

2.6 Data Transmission and Communication:

2.7 Exclusions

2.8 Policy Review

3 Roles and Responsibilities

4 Information Classification

5 Access Control

6 Data Protection and Privacy

7 Network Security

8 Incident Response and Reporting

9 Physical Security

10 Employee Training and Awareness

11 Compliance and Enforcement

12 Policy Review and Updates

 

 

1 Introduction and purpose

 

Welcome to the Information Security Policy. This document outlines our commitment to

maintaining the confidentiality, integrity, and availability of our information assets and

systems. The purpose of this policy is to establish a comprehensive framework for

safeguarding sensitive data, mitigating security risks, and promoting a culture of

information security throughout the organization.

1.1 Importance of Information Security

In today's digital age, protecting our customer data, our company's sensitive information

and intellectual property is paramount. A strong information security posture not only

safeguards our assets and reputation but also fosters trust among our clients, partners,

and stakeholders. By adhering to this policy, we aim to:

  1. Protect Confidentiality: Safeguarding confidential and proprietary information

from unauthorized access, disclosure, or alteration.

  1. Ensure Integrity: Preventing unauthorized modification or tampering of data to

maintain its accuracy and reliability.

  1. Assure Availability: Ensuring that critical information and systems are accessible

to authorized personnel when needed.

  1. Comply with Laws and Regulations: Adhering to relevant data protection laws,

industry regulations, and contractual obligations.

  1. Mitigate Security Risks: Identifying, assessing, and addressing potential

information security risks proactively.

  1. Foster a Security Conscious Culture: Instilling a sense of responsibility and

awareness among all employees to protect information assets.

1.2 Applicability

This policy applies to all employees, contractors, vendors, and any other personnel who

access or handle company information, whether on-premises or through remote means.

It encompasses all electronic and physical information assets, including but not limited to

computer systems, network infrastructure, databases, paper documents, and removable

media.

 

1.3 Policy Review

This Information Security Policy will be reviewed annually or as needed to ensure its

effectiveness and alignment with the evolving threat landscape, regulatory changes, and

business requirements. Any updates or revisions will be communicated to all relevant

stakeholders.

1.4 Compliance and Consequences

Compliance with this policy is mandatory for all individuals within the organization, and

noncompliance may result in disciplinary action, up to and including termination of

employment or legal consequences, where applicable.

We believe that Information Security is a shared responsibility and requires continuous

vigilance. By adhering to this policy and adopting secure practices in our daily operations,

we strengthen our resilience against potential threats and contribute to the long-term

success of our organization.

1.5 Point of Contact

If you have any questions, concerns, or require further clarification regarding this

Information Security Policy, please contact Jen Rossey at jen.rossey@lopos.be

 

2 Scope

This Information Security Policy applies to all aspects of data generation, storage, and

visualization processes within Lopos. The policy covers the handling of data from its

inception on our hardware devices through its storage on our AWS backend and

visualization on the dashboard. The scope of this policy includes, but is not limited to, the

following areas:

2.1 Data Generation:

  • All data generated on the LoposAlert hardware
  • All data generated, collected, or processed on company-owned hardware systems,

including workstations, laptops, mobile devices, and other data-generating

devices.

  • Data generated by employees, contractors, or any other personnel acting on

behalf of the organization.

2.2 Data Storage:

  • All data stored in our AWS backend system, including databases, file storage

systems, and cloud based services.

  • Data stored on local devices or removable media

2.3 Data Visualization:

  • Data presented and visualized through applications, dashboards, and other

visualization tools.

2.4 Access and User Accounts:

  • User accounts and access controls for personnel authorized to interact with the

data generation, storage, and visualization processes.

  • Procedures for granting and revoking access to specific data and systems.

2.5 Third-Party Access and Integration:

  • Security considerations for third-party services or vendors that interact with our

data on the AWS backend.

  • Guidelines for integrating external systems or APIs with our data visualization

platforms.

2.6 Data Transmission and Communication:

  • Security measures for transmitting data between on-premises hardware and the

AWS backend system.

  • Guidelines for secure communication between authorized personnel and the

backend..

2.7 Exclusions

This Information Security Policy does not cover the following:

  1. General IT infrastructure security policies, such as network security and endpoint

protection, which are addressed separately in relevant company policies.

  1. Physical security measures for on-premises hardware systems, which are covered

in the company's Physical Security Policy.

  1. Security policies specific to third-party services or vendors, which should be

addressed through contractual agreements and service-level agreements.

  1. Security measures related to data generated, stored, or visualized on external

systems or platforms not owned or managed by Lopos.

2.8 Policy Review

The scope of this policy will be reviewed periodically to ensure its continued relevance

and alignment with the organization's data generation, storage, and visualization

practices. Any changes or updates to the scope will be communicated to all relevant

personnel.

By defining the scope of this Information Security Policy, we establish clear boundaries

for the areas of data management covered, enabling us to maintain a consistent and

effective approach to securing our data throughout its lifecycle.

 

3 Roles and Responsibilities

  1. CEO - Jen Rossey
  • Overall responsibility for information security at Lopos.
  • Ensuring that information security policies and practices are implemented and

followed throughout the organization.

  • Providing necessary resources and support to maintain a robust information

security posture.

  • Reviewing the effectiveness of information security measures and making

strategic decisions to enhance security.

  1. Back-end Communication - Jan Bauwens
  • Managing and overseeing the secure communication between Lopos hardware

and the AWS back-end system.

  • Implementing encryption and authentication mechanisms for data transmission.
  • Regularly monitoring back-end communication logs for any anomalies or

suspicious activities.

  • Collaborating with the IT team to address any security vulnerabilities in the

communication infrastructure.

  1. Hardware Communication Manager - Bart Jooris
  • Ensuring the security of communication interfaces and protocols used by Lopos

hardware devices.

  • Implementing secure authentication methods for hardware access to the AWS

back-end system.

  • Overseeing the deployment of security patches and updates to hardware devices.
  • Conducting regular security assessments of hardware communication channels.

 

  1. Data Visualization Manager - Enzo Simoen
  • Managing and securing the data visualization platforms and dashboards used by

Lopos.

  • Implementing access controls to ensure only authorized users can access and

view visualized data.

  • Monitoring the dashboard for any potential data leaks or exposure of sensitive

information.

  • Collaborating with the development team to address security issues in data

visualization interfaces.

 

  1. Employees and Authorized Personnel
  • Following all information security policies and procedures applicable to their roles.
  • Reporting any security concerns or incidents to their respective managers or the

IT security team.

  • Safeguarding their access credentials and using them responsibly.
  • Participating in information security training and remaining vigilant about security

best practices.

 

  1. Third-Party Vendors
  • Ensuring that third-party vendors or service providers comply with Lopos'

information security standards.

  • Conducting due diligence assessments of third-party security practices before

integration.

  • Collaborating with vendors to address security vulnerabilities or incidents

promptly.

Each individual listed above plays a critical role in ensuring the security and integrity of

Lopos' information assets and systems. By understanding their respective

responsibilities and working collaboratively, the company can achieve a strong

information security posture and effectively protect sensitive data.

4 Information Classification

At Lopos, we recognize the importance of appropriately classifying and safeguarding

information based on its sensitivity. Proper information classification ensures that

customer-specific data is protected and only accessed by authorized individuals. The

following classification levels are defined to guide employees in handling and securing

information:

  1. Public Information (Level 1):
  • Definition: Information that is intended for public disclosure and has no

restrictions on access or distribution.

  • Examples: Marketing materials, general product information, press releases.
  1. Internal Use Only (Level 2):
  • Definition: Information that is intended for internal use within Lopos and should

not be shared outside the organization.

  • Examples: Internal reports, non-sensitive employee information, and company

policies.

  1. Confidential Information (Level 3):
  • Definition: Information that requires protection against unauthorized access or

disclosure, including customer-specific data.

  • Examples: Customer contact details, service history, and any data shared by

customers themselves.

  1. Highly Confidential Information (Level 4):
  • Definition: Highly sensitive information that demands the highest level of

protection, as unauthorized access could have severe consequences.

  • Examples: LoposAlert dashboard data,, proprietary product designs, and access

credentials.

Handling Guidelines:

  1. Public Information (Level 1):
  • No special handling requirements.
  • Can be shared with the public, partners, or stakeholders without restrictions.
  1. Internal Use Only (Level 2):
  • Limit distribution to authorized Lopos personnel only.
  • Do not disclose outside the organization without proper approval.
  1. Confidential Information (Level 3):
  • Access should be restricted to employees who require the information to perform

their duties.

  • Information must not be shared with external parties, without customer consent.
  1. Highly Confidential Information (Level 4):
  • Access should be granted strictly on a need-to-know basis.
  • Encryption should be used for transmission.
  • Information must not be shared with external parties, without explicit customer

consent and higher-level management approval.

Responsibilities:

  1. Employees:
  • Understand and comply with the information classification guidelines.
  • Protect confidential and highly confidential information from unauthorized access

or disclosure.

  • Report any suspected breaches or mishandling of information.
  1. Managers and Supervisors:
  • Ensure that employees under their supervision are aware of the information

classification policy and its implications.

  • Oversee the proper handling of information within their departments.
  1. Data Privacy Officer:
  • Monitor and enforce compliance with the information classification policy.
  • Regularly review and update information classification guidelines based on

changing business needs and regulations.

Adhering to these information classification guidelines ensures that customer-specific

data is treated with the utmost care and confidentiality, fostering trust between Lopos

and its customers and dealers.

5 Access Control

Access control is essential to maintain the confidentiality and integrity of sensitive

information at Lopos. By implementing effective access control measures, we ensure that

only authorized individuals can access specific data and systems. The following access

control guidelines are in place:

  1. User Authentication:
  • All users must authenticate themselves before accessing any system or data.
  • Strong passwords are enforced, requiring a combination of uppercase and

lowercase letters, numbers, and special characters.

  • Multi-factor authentication (MFA) is implemented for access to highly confidential

information and critical systems.

  1. User Access Levels:
  • Access permissions are assigned based on the principle of least privilege, granting

users the minimum level of access necessary to perform their roles.

  • Different access levels are defined for public information, internal use data,

confidential information, and highly confidential data.

  1. Role-Based Access Control (RBAC):
  • Access rights are assigned based on job roles and responsibilities.
  • Changes in job roles trigger access reviews and necessary adjustments to user

permissions.

  1. Access Approval Process:
  • Access requests are subject to approval by the respective data owners or

supervisors.

  1. User Account Management:
  • User accounts are created, modified, or deactivated based on HR records and

employment status.

  • Accounts for terminated employees are promptly deactivated to prevent

unauthorized access.

  1. Remote Access:
  • Remote access to the company's systems is allowed only through secure Virtual

Private Network (VPN) connections.

  • Users must adhere to specific security measures when accessing company

resources remotely.

  1. Monitoring and Logging:
  • Access control mechanisms are continuously monitored, and logs are maintained

for auditing purposes.

  • Security teams regularly review access logs to identify and investigate any

unauthorized access attempts.

  1. Third-Party Access:
  • Third-party vendors or contractors are granted access to Lopos systems and data

only when required for their assigned tasks.

  • Access is strictly supervised and revoked promptly when no longer necessary.

 

  1. Data Access Restrictions:
  • Customer-specific data is only accessible to the customers themselves and

authorized dealers providing service to those customers.

  • Customers can access their own data through secure authentication and

self-service portals.

 

  1. Emergency Access:
  • In exceptional cases, emergency access procedures are in place, allowing

authorized personnel temporary access for critical tasks.

  • Emergency access is strictly logged and reviewed for accountability.

Access control at Lopos is a crucial aspect of maintaining the confidentiality, integrity,

and availability of sensitive information. These measures help protect against

unauthorized access and potential security breaches, contributing to a robust information

security posture.

6 Data Protection and Privacy

At Lopos, we are committed to safeguarding the privacy and protecting the personal data

of our customers, employees, and other stakeholders in compliance with the General

Data Protection Regulation (GDPR) and other relevant data protection laws. The following

measures are implemented to ensure data protection and privacy:

  1. Lawful Data Processing:
  • Personal data is collected, processed, and used only for specific, explicit, and

legitimate purposes as defined by GDPR.

  • Data processing activities are based on lawful grounds, such as consent,

contractual obligations, or legal requirements.

  1. Data Minimization:
  • We collect and process only the minimum amount of personal data necessary to

achieve the specified purposes.

  • Unnecessary or redundant data is avoided, reducing the risk of data exposure.
  1. Data Transparency and Consent:
  • We provide clear and transparent information to individuals about the processing

of their personal data.

  • Consent for data processing is obtained before initiating any relevant activity, and

customers can withdraw consent at any time.

  1. Data Security:
  • Personal data is stored and transmitted in a secure manner, protected by

appropriate technical and organizational measures.

  • Encryption and access controls are applied to prevent unauthorized access to

sensitive data.

  1. Data Retention and Deletion:
  • Personal data is retained only for the necessary duration as per legal and

business requirements.

  • When data is no longer needed, it is securely deleted or anonymized to ensure

compliance with GDPR.

  1. Data Access Rights:
  • Data subjects have the right to access their personal data and request

rectification, erasure, or restriction of processing where applicable.

  • Requests related to data subject rights are handled promptly and in accordance

with GDPR requirements.

  1. Data Breach Notification:
  • In the event of a data breach that poses a risk to individuals' rights and freedoms,

we adhere to GDPR's data breach notification obligations.

  • We promptly notify the relevant supervisory authority and affected individuals

about the breach.

  1. Data Protection Impact Assessments (DPIAs):
  • DPIAs are conducted for high-risk data processing activities to identify and

mitigate potential data protection risks.

  • Measures are implemented to ensure that data protection principles are upheld in

such activities.

  1. Third-Party Data Processors:
  • Data processing agreements are established with third-party vendors or

processors to ensure they handle personal data in compliance with GDPR.

  • We conduct due diligence on third-party processors to ensure their reliability and

security practices.

  1. Employee Training and Awareness:
  • Employees handling personal data receive regular training on data protection and

privacy practices.

  • Data protection awareness programs are conducted to foster a privacy-conscious

culture within the organization.

Lopos takes its obligations under GDPR seriously and is committed to continuously

enhancing data protection measures to protect the rights and privacy of individuals. Our

privacy practices are regularly reviewed to ensure ongoing compliance with applicable

data protection laws and regulations.

7 Network Security

Even though Lopos relies on cloud-based services and external providers for various

functions, ensuring network security remains crucial to protect sensitive data and

maintain the integrity of our operations. The following network security measures are

implemented to safeguard our systems and data:

  1. AWS Security Measures:
  • Utilizing AWS Virtual Private Cloud (VPC) to create isolated network segments for

enhanced security.

  • Configuring Network Access Control Lists (NACLs) and Security Groups to control

inbound and outbound traffic.

  1. Encryption:
  • Implementing encryption protocols such as SSL/TLS for data transmission

between clients and servers.

  1. Secure Access Management:
  • Applying robust access controls to AWS resources, limiting administrative access

to authorized personnel.

  • Utilizing AWS Identity and Access Management (IAM) to manage user access and

permissions.

  1. Monitoring and Logging:
  • Deploying AWS CloudTrail and AWS Config to monitor API activities and changes

to AWS resources.

  • Analysing logs regularly to detect potential security incidents and anomalies.
  1. Multi-Factor Authentication (MFA):
  • Enabling MFA for AWS accounts and cloud-based services to strengthen

authentication measures.

  1. Security Testing and Auditing:
  • Regularly conducting vulnerability assessments and penetration testing on AWS

infrastructure.

  • Conducting periodic security audits to identify and address potential weaknesses.
  1. Google Workspace Security:
  • Leveraging Google's built-in security features for Google Workspace services

(Gmail, Google Drive, etc.).

  • Configuring access controls, permissions, and sharing settings to prevent

unauthorized access.

  1. Network Segmentation:
  • Segmenting network resources to isolate critical systems from non-sensitive
  • Applying strict access controls between network segments to minimize the attack

surface.

  1. Employee Training and Awareness:
  • Conducting regular security awareness training for employees to promote safe

computing practices.

  • Educating staff about the risks of phishing and social engineering attacks.
  1. Continuous Monitoring and Updates:
  • Monitoring AWS security advisories and promptly applying security updates and

patches.

  • Keeping all cloud-based services and applications up to date with the latest

security patches.

Despite relying on external cloud services, Lopos places a strong emphasis on network

security to ensure the protection of sensitive data and maintain a resilient and secure IT

environment. By adopting a multi-layered approach and adhering to best security

practices, we aim to mitigate potential threats and vulnerabilities effectively.

8 Incident Response and Reporting

At Lopos, we maintain a robust incident response plan to promptly detect, respond to,

and mitigate any security incidents that may occur. This plan outlines the steps to be

taken in the event of a security breach or any other incident impacting the confidentiality,

integrity, or availability of our data and systems.

Incident Identification and Reporting:

  1. Immediate Response: Any employee who suspects or identifies a security incident

must immediately report it to the IT security team or their immediate supervisor.

  1. Incident Reporting Channels: Incidents can be reported through the company's support

email address (support@lopos.be).

  1. Clear Reporting Format: Incident reports should include essential details such as the

date, time, description of the incident, affected systems, and any potential impact on data

or operations.

  1. Prioritization of Incidents: The IT security team will assess the reported incident's

severity and prioritize its response based on predefined criteria.

Incident Response Process:

  1. Initial Assessment: The IT security team will conduct an initial assessment of the

incident to determine its scope, potential impact, and urgency.

  1. Containment: Immediate measures will be taken to contain the incident and prevent it

from spreading further. This may include isolating affected systems or disabling

compromised accounts.

  1. Investigation: A detailed investigation will be launched to identify the root cause and

the extent of the incident.

  1. Forensic Analysis: If necessary, digital forensic analysis will be performed to gather

evidence and understand the nature of the incident.

  1. Notification: Relevant stakeholders, including management, legal, and data protection

officers, will be notified if the incident involves sensitive data or legal implications.

  1. Communication: Clear and timely communication will be maintained with all affected

parties, including customers, employees, or third-party partners, to provide updates on

the incident and its resolution.

  1. Remediation: Steps will be taken to remediate the incident, repair any damage, and

restore systems to normal operations.

  1. Lessons Learned: After the incident is resolved, a post-incident review will be

conducted to identify lessons learned and any improvements needed in incident

response procedures.

Documentation and Reporting:

  1. Incident Report: A detailed incident report will be prepared, documenting the incident's

timeline, impact, actions taken, and the outcome of the response process.

  1. Legal and Regulatory Reporting: If the incident involves a data breach or potential data

privacy violation, it will be reported to the appropriate legal and regulatory authorities in

compliance with applicable laws and regulations.

  1. Record Keeping: All incident-related documentation, including logs, reports, and

communication records, will be maintained for future reference and potential legal

purposes.

By following this structured incident response process and promptly reporting any

security incidents, Lopos aims to minimize the impact of incidents, protect our data and

systems, and swiftly return to normal operations in the event of any security breach or

incident.

9 Physical Security

Lopos has its offices in the Ghent Meet District office centre. Meet District provides their

own security protocols, Lopos takes additional measures to ensure physical security

within our rented office space. These measures are implemented to protect the

confidentiality, integrity, and availability of our physical assets and sensitive information:

  1. Access Control:
  • All entry points to Lopos' office area are equipped with electronic access control

systems, restricting entry to authorized personnel only.

  • Access keys are issued to employees and authorized visitors, and access

permissions are regularly reviewed.

  1. Visitor Management:
  • Reception personnel verify the identity and purpose of all visitors before granting

access.

  1. Secure Storage Areas:
  • Sensitive documents, equipment, and assets are stored in locked cabinets or

secure rooms.

  • Access to these storage areas is restricted to authorized personnel only.
  1. Equipment Protection:
  • All company-owned electronic devices (laptops, mobile devices, etc.) are securely

stored when not in use or outside the office premises.

  1. Clear Desk Policy:
  • Employees are required to adhere to a clear desk policy, ensuring that sensitive

documents and information are not left unattended on desks or visible to

unauthorized individuals.

  1. Employee Training:
  • Employees are educated on physical security best practices and the importance of

complying with office access and security policies.

  • Training sessions cover topics like visitor management, key handling, and

reporting suspicious activities.

  1. Collaboration with Office Management:
  • Lopos collaborates with the office management at Ghent Meet District to ensure

that security protocols are aligned and complement each other.

  • Regular communication helps address any potential security concerns and

ensures a unified approach to physical security.

By implementing these physical security measures and collaborating with the office

management at Ghent Meet District, Lopos aims to create a secure and safe working

environment for its employees and protect sensitive company assets from unauthorized

access or incidents.

10 Employee Training and Awareness

At Lopos, we understand that employees play a crucial role in maintaining a secure and

resilient information security environment. Therefore, we provide comprehensive training

and awareness programs to equip our workforce with the knowledge and skills

necessary to identify and mitigate security risks effectively.

Training Topics and Modules:

  1. Information Security Fundamentals:
  • Introduction to the importance of information security and its relevance to Lopos'

operations.

  • Explanation of the potential consequences of security breaches for the company,

customers, and employees.

  1. Data Protection and Privacy:
  • Understanding the principles of data protection and the significance of complying

with GDPR and other relevant regulations.

  • Educating employees about handling personal and customer data responsibly.
  1. Phishing Awareness:
  • Identifying common phishing techniques and how to recognize suspicious emails

or messages.

  • Training on how to report potential phishing attempts.
  1. Password Security:
  • Guidance on creating strong and unique passwords for different accounts and

systems.

  • Encouraging the use of password managers and the importance of not sharing

passwords.

  1. Social Engineering Awareness:
  • Explaining the risks associated with social engineering attacks and how to avoid

falling victim to them.

Lopos, confidential, 2023

20

  • Emphasizing the importance of verifying requests for sensitive information

through appropriate channels.

  1. Physical Security Best Practices:
  • Educating employees on the physical security measures in place at Lopos' office

and their responsibilities in following access control and visitor management

procedures.

  1. Safe Internet and Device Usage:
  • Best practices for safe internet browsing, including avoiding risky websites and

downloading files from trusted sources only.

  • Tips for securing company-issued devices and personal devices used for work

purposes.

  1. Incident Reporting and Response:
  • Instructions on how to report security incidents and whom to contact in case of a

suspected breach.

  • Training on the importance of reporting incidents promptly to minimize potential

damage.

  1. Data Handling and Classification:
  • Guidelines on properly classifying and handling sensitive information based on its

level of confidentiality.

  • Ensuring employees understand their access rights to various data categories.

Regular Training Updates:

Employee training and awareness programs are conducted periodically, and updates are

provided whenever there are significant changes to security policies or new threats

emerge. By keeping employees well-informed and vigilant, Lopos fosters a

security-conscious culture that enhances the organization's overall resilience against

potential security risks.

11 Compliance and Enforcement

At Lopos, adherence to information security policies and practices is essential to maintain

the confidentiality, integrity, and availability of our data and systems. Compliance with

these policies is mandatory for all employees, contractors, and third-party vendors. To

ensure a secure environment and minimize security risks, we enforce compliance through

the following measures:

  1. Policy Acknowledgment and Training:
  • All employees, contractors, and vendors are required to review and acknowledge

their understanding of the Information Security Policy.

  • Completion of information security training is mandatory for all personnel to

ensure they are aware of their responsibilities and the consequences of policy

violations.

  1. Access Control and User Permissions:
  • Access to data, systems, and sensitive information is granted based on the

principle of least privilege, ensuring that individuals have only the necessary

permissions to perform their roles.

  • Any requests for access beyond the required level must be approved by the

respective data owners or managers.

  1. Monitoring and Auditing:
  • The IT security team conducts regular audits and monitoring activities to detect

potential policy violations or suspicious activities.

  • Log analysis and system monitoring help identify anomalies and unauthorized

access attempts.

  1. Incident Response and Reporting:
  • All personnel are required to promptly report any suspected security incidents or

policy violations to the IT security team or their supervisors.

  • Incidents are investigated, and appropriate actions are taken to address the root

cause and prevent recurrence.

  1. Consequences for Policy Violations:
  • Policy violations are taken seriously, and appropriate disciplinary actions are

applied based on the severity of the violation and its impact on the organization.

  • Disciplinary measures may include verbal or written warnings, suspension,

termination of employment, and legal action, if necessary.

  1. Third-Party Vendor Compliance:
  • Third-party vendors and contractors working with Lopos are contractually

obligated to comply with our information security policies.

  • Failure to meet the required security standards may lead to the termination of the

vendor's engagement.

  1. Data Privacy and GDPR Compliance:
  • Lopos is committed to complying with the General Data Protection Regulation

(GDPR) and other relevant data protection laws.

  • Non-compliance with GDPR requirements may result in significant penalties and

reputational damage.

  1. Internal Reporting Mechanism:
  • A designated reporting mechanism is in place to allow employees to report any

suspected policy violations or security concerns without fear of retaliation.

  1. Regular Policy Review:
  • The Information Security Policy is reviewed periodically to ensure its relevance

and effectiveness in addressing emerging security challenges.

  • Updates and improvements are made as necessary to align the policy with

changing business needs and industry best practices.

Enforcement of the Information Security Policy at Lopos underscores the organization's

commitment to maintaining a secure and resilient information security posture. By

holding all personnel accountable for compliance, we create a culture of responsibility

and awareness, reducing the risk of security incidents and protecting our sensitive

information.

 

12 Policy Review and Updates

At Lopos, we recognize the dynamic nature of the information security landscape and the

importance of keeping our policies up to date to address emerging threats and

technological advancements. Our policy review and update process involves the

following steps:

  1. Regular Review Cycle:
  • The Information Security Policy undergoes an annual review as part of our

commitment to continuous improvement and compliance with the latest industry

standards and regulations.

  1. Feedback and Input:
  • Feedback from employees, IT security experts, and relevant stakeholders is

collected to identify areas for improvement and potential policy gaps.

  1. Industry Best Practices:
  • Our policy review process includes a comprehensive analysis of industry best

practices, security frameworks, and guidelines from reputable sources.

  1. Legal and Regulatory Changes:
  • We closely monitor changes in data protection laws and regulations, ensuring that

our policy aligns with GDPR and other relevant legal requirements.

  1. Security Incident Analysis:
  • Insights gained from security incidents and near-miss events are considered to

enhance the policy's effectiveness in mitigating similar risks.

  1. Communication of Updates:
  • Upon completion of the review and update process, employees are promptly

informed about the revised policy and any changes to their responsibilities.

  1. Training and Awareness:
  • Training sessions and awareness programs are conducted to ensure all

employees understand the updated policy and its implications.

By regularly reviewing and updating our Information Security Policy, we demonstrate

our commitment to adapt to the evolving threat landscape and protect the confidentiality,

integrity, and availability of our information assets. The policy serves as a living

document, helping Lopos stay resilient against potential risks and maintain a

security-conscious culture throughout the organization.

Back to top