General Security Policy

 

1 Mission and objectives

XLAB d.o.o. is one of the leading providers of IT solutions in the region. Our focus is software development and research in the field of cloud computing and distributed systems.

Our goals are to create an environment for the development of high-quality and innovative technological products, to offer these products in the international market and to provide exceptional support to our customers.

 

2 Vision

The vision of XLAB is to bridge top academic knowledge with high-tech industry and, in turn, provide solutions for our most demanding customers. Our slogan is “Get IT done”.

 

3 Information security policy

Confidentiality, integrity and availability of the data that XLAB manages are essential to the overall functioning of the company. Information security policy was thus adopted by the CEO together with other executive structures in our company to provide a framework which establishes appropriate levels of information security for all data and information technology systems.

The company’s Information security policy includes a commitment to meet the demands regarding data management and provides the basis for a management review of the progress of set objectives. Information security policy is constantly reviewed according to current market trends and trends in the field of information security.

 

4 Purpose / Objective

The objective of the security policy is to ensure data confidentiality, availability and integrity, while being managed by the company. The information security policy is ISO / IEC 27001: 2022 standard compliant.

The goals of the security policy are:

 

5 Responsibilities

All employees, contractors and students, who have any contact with information resources that are owned by the company, are responsible for the application of the security policy.

XLAB has the responsibility to provide all current and new employees, students and contractors with appropriate education and training ensuring accordance with information security standards. After training each person has to sign the Confidentiality Statement, which confirms that they have been acquainted with the security and other policies of XLAB and agree to adhere to them.

Depending on the sensitivity and confidentiality of the data involved in their work an employee or a contractor might be required to sign additional documents to ensure information security.

 

6 Leadership commitment

The leadership of the company commits to the Information Security Management System (hereinafter: ISMS) by:

 

7 Security engineer

The management of the company authorized a security engineer, who will take care of the ISMS documentation. The CEO appoints the security engineer for a five-year period, which may be extended.

The tasks of the security engineer are:

In addition, the security engineer is responsible for the implementation, execution, administration, and the interpretation of policies, standards, guidelines and procedures related to information security in the company.

 

8 Objectives and their evaluation

To monitor the implementation of the information security policy, we have established the following objectives:

 

During creation of security policies, rules, instructions, declarations and procedures, the following is taken into account:

 

10 Security policy

The security policy and other ISMS documentation includes the requirements and recommendations of the ISO / IEC 27001: 2022. Individual security policy chapters describe the topics defined by the standard. Security Policy Chapters are intertwined and complement each other.

The chapters defined by the security policy are:

Additional sections may be written for individual fields of application, where required.

 

11 Action plan in the event of deviations or exceptional circumstances

All employees, contractors and students are required to report any extraordinary events (deviations from normal state) to the security engineer. An extraordinary event is reported orally, by telephone, through an electronic message or by completing the prescribed form, paper or electronic. The security engineer is responsible for recording the incident and, if necessary, taking appropriate action.

Reports shall be made in the case of:

Each reported suspicion of a security policy violation is dealt with separately. During the investigation, the allocated access rights, authorizations or powers may be revoked. The incident is investigated by a person or group of people operating within the company, appointed by the management.

In the event of a breach of security policies, personnel shall act in accordance with the legislation and the rules defined in the security policies. Regarding subcontractors, the company shall act in accordance with the signed contract.

 

12 Reference documents

 

13 Document owner

The owner of the document is Chief Security Engineer who is responsible for maintaining the document.