information security POLICY

All rights reserved © 2021 SHIFT Consulting.

 

SHIFT Consulting is totally committed to protect its Clients information and its own corporate classified information, aligned with professional, ethical, legal, regulatory and contractual requirements.

Information security is considered a critical success factor for SHIFT’s position in the market as a trustful partner, and the loss or theft of information can have serious legal, financial and/or reputational consequences.

Therefore, SHIFT Consulting applies technical and organizational measures in order to safeguard the confidentiality, integrity and availability of information – in physical, digital or intellectual formats.

Thus, the principles of information security policy, aligned with ISO 27001 standard, are to ensure that:

  • The information is protected against unauthorized access.
  • The confidentiality of the information is guaranteed.
  • Information integrity is maintained.
  • All applicable laws and regulations are respected.
  • Information security aspects are maintained in a business continuity scenario.
  • Any breaches in the information security, detected or under suspicion, are investigated by the competent areas for that purpose.
  • Human capital training and awareness are promoted regularly towards an information security culture.

To this purpose, SHIFT Consulting manages an Information Security Management System (ISMS) that includes this policy and other procedures and norms, designed to maintain, review and improve information security controls, with a risk-oriented approach.

The ISMS of SHIFT Consulting has the following main objectives:

  • Provide information security measures aligned with the applicable business requirements, laws and regulations.
  • Ensure that information assets receive an adequate level of protection, according to its classification and criticality.
  • Manage the organization’s information assets with the appropriate ownership level and competences.
  • Ensure proper access control and user registration users, under the need to know basis principle, reviewed regularly.
  • Prevent unauthorized physical access, damage and interference in the organization’s information and data processing resources.
  • Prevent the exploitation of technical vulnerabilities.
  • Ensure that information security is designed and implemented along the software development life cycle.
  • Ensure a consistent approach to manage information security incidents, including the communication of events and improvement opportunities.
  • Ensure information security in the organization’s business continuity plan.
  • Contribute to an information security culture, in a logic of continuous improvement.

responsibilities

In the context of the ISMS, the highest body of the company is its CEO/Director, who will be responsible for:

  • Ensuring that the ISMS is part and is embedded in all business processes and adopted by the overall management structure.
  • Maintaining formally operational an Information Security Committee, responsible for planning, guiding, defining, monitoring and controlling initiatives towards information security and for monitoring its performance.
  • Maintaining formally appointed a CISO (Chief Information Security Officer) who will be the privileged interlocutor within the organization and manage ISMS activities.

All department coordinators must be aware of the compliance requirements for business processes and with the organization’s information security policies, as well as to contribute, in their operational areas, to proper technical, organizational and human controls.

All employees, as well as third parties, who in some way can interact with information from customers and SHIFT Consulting, are required to support and execute all information security rules, and must immediately report to CISO any event that may cause, or has caused, a breach of information security via email: infosec@shiftconsulting.pt

Employees, as well as third parties, may be disciplined or legally liable in the event of non-compliance with the information security policies and norms requested by SHIFT Consulting.