information security POLICY
All rights reserved © 2021 SHIFT Consulting.
SHIFT Consulting is totally committed to protect its Clients information and its own corporate classified information, aligned with professional, ethical, legal, regulatory and contractual requirements.
Information security is considered a critical success factor for SHIFT’s position in the market as a trustful partner, and the loss or theft of information can have serious legal, financial and/or reputational consequences.
Therefore, SHIFT Consulting applies technical and organizational measures in order to safeguard the confidentiality, integrity and availability of information – in physical, digital or intellectual formats.
Thus, the principles of information security policy, aligned with ISO 27001 standard, are to ensure that:
- The information is protected against unauthorized access.
- The confidentiality of the information is guaranteed.
- Information integrity is maintained.
- All applicable laws and regulations are respected.
- Information security aspects are maintained in a business continuity scenario.
- Any breaches in the information security, detected or under suspicion, are investigated by the competent areas for that purpose.
- Human capital training and awareness are promoted regularly towards an information security culture.
To this purpose, SHIFT Consulting manages an Information Security Management System (ISMS) that includes this policy and other procedures and norms, designed to maintain, review and improve information security controls, with a risk-oriented approach.
The ISMS of SHIFT Consulting has the following main objectives:
- Provide information security measures aligned with the applicable business requirements, laws and regulations.
- Ensure that information assets receive an adequate level of protection, according to its classification and criticality.
- Manage the organization’s information assets with the appropriate ownership level and competences.
- Ensure proper access control and user registration users, under the need to know basis principle, reviewed regularly.
- Prevent unauthorized physical access, damage and interference in the organization’s information and data processing resources.
- Prevent the exploitation of technical vulnerabilities.
- Ensure that information security is designed and implemented along the software development life cycle.
- Ensure a consistent approach to manage information security incidents, including the communication of events and improvement opportunities.
- Ensure information security in the organization’s business continuity plan.
- Contribute to an information security culture, in a logic of continuous improvement.