ISO Policy for Information Security by Tempestive

The management actively supports the company’s security through clear guidance, evident commitment, explicit assignments, and acknowledgment of responsibilities related to information security.
The management’s commitment is implemented through the following organizational structure:

1. ORGANIZATIONAL PROCEDURES (Pt.5)

• Ensure that the Information Security Management System (ISMS) is integrated into all business processes and that procedures and controls are effectively developed concerning the certification purpose.
• Monitor changes in the exposure to threats to the company’s key information, manage crises, analyze security incidents, and review risk acceptance criteria and acceptable risk levels.
• Promptly notify any unauthorized access to personal data or to equipment and premises used for their processing, or any other security breaches (data breache) that may have caused data loss, dissemination, or alteration.
• Provide sufficient resources for the planning, implementation, organization, control, review, management, and continuous improvement of the ISMS.
• Comply with GDPR Regulation (EU) No. 2016/679 and relevant privacy and cyber security regulations.
• Ensure the confidentiality of information through the use of specific NDAs.
• Facilitate the exercise of rights of access, rectification, and/or deletion by the customer in cloud solution providers.
• Ensure that data processing as a “processor” is conducted solely for the purposes disclosed during the service contract.
• Ensure that temporary files and documents are deleted or destroyed within a specific and documented time frame, consistent with the “Company Regulations on the Use of IT Tools and Email.”
• Notify the customer in advance about the use of subcontractors, data centers locations, and their obligations regarding data processing.
• Regulate in the general contract conditions the policy concerning data return/deletion obligations upon contract termination.

2. PERSONNEL MANAGEMENT PROCEDURES (Pt.6)

• Establish roles and responsibilities for the development and maintenance of the ISMS, as well as clearly define, record, and communicate “Processor” activities as Data Processor concerning privacy aspects.
• Manage crisis situations promptly through well-defined roles.
• Implement programs to spread awareness and culture of information security and support all initiatives aimed at improving security.
• Appoint a Data Protection Officer (DPO) in accordance with GDPR Regulation (EU) No. 2016/679.

3. INFRASTRUCTURE AND PHYSICAL SECURITY MANAGEMENT PROCEDURES (Pt.7)

• Protect access to physical archives from unauthorized personnel.
• Keep track of access to server rooms and network equipment.
• Ensure that electronic devices owned by Tempestive are used in compliance with company regulations.
• Ensure that printing of paper materials containing sensitive data is restricted.
• Verify the proper functioning and maintenance of technological equipment such as alarms, video surveillance, etc.
• Maintain and monitor support equipment for the network, such as UPS systems, etc.

4. SOFTWARE AND CYBER-SECURITY MANAGEMENT PROCEDURES (Pt.8)

• Empower personnel for the proper use of available IT tools and associated access credentials.
• Implement a procedure, and corresponding log, for the deletion of personal data without undue delay.
• Ensure that virtual machines are configured and reinforced to meet the organization’s needs.
• Document and monitor the operations of System Administrators (SAs).
• Ensure proper protection of intellectual property and management of related usage licenses.
• Commit to managing the customer’s personal data and access credentials according to the privacy terms agreed upon in the contract.
• Protect and separate the customer’s virtual environment from that of other customers and external parties.
• When using third-party cloud providers, the practice is (where possible) to use ISO-certified cloud providers in line with our security protocols.
• There is an internal regulation for authentication, tracking, classification, and permissions.