Current policy defines the main principles of the N-iX Information Security Management
System in order to:
ISO/IEC 27001:2013 standard;
ISO/IEC 27001:2022 standard;
ISO/IEC 27002:2013 standard, clauses 6.1.1., 6.1.2.;
ISO/IEC 27002:2022 standard, clauses 5.2., 5.3.;
ISO/IEC 27701:2019 standard, clause 6.11.1.;
PCI DSS standard, clause 12.
N-iX contractors (private entrepreneurs) that are part of N-iX team at all levels and grades, casual and agency staff that has concluded a labor or civil contract with N-iX, employees (including part-time and fixed-term employees), including senior managers, officers, directors, consultants, trainees, etc. (“Users”) are responsible for consistent compliance with this Information Security Policy and all other applicable Information Security documentation.
Users with access to information assets and information processing facilities shall be responsible for reporting any suspicious activity, security breaches, or security violations to Informationsecurity@n-ix.com.
N-iX management ensures all the necessary resources are provided to fulfill and achieve the commitments mentioned in the given Policy.
N-iX’s IT Department, led by the Senior IT Director, is the central point of contact for all information security matters at the Company. Acting as internal technical and policy consultants, it is this department’s responsibility to create workable information security compromises that take into consideration the needs of Users, while supporting Company’s business objectives. Reflecting these compromises, this department defines specific information security standards, procedures and controls for the Company. IT Department must:
This Policy applies to: all internal and external Stakeholders.
Who should read this Policy: all internal and external Stakeholders.
N-iX fully supports and commits to achieve compliance with the applicable to its activity personal data protection legislation and/or regulations as well as with the applicable contractual terms agreed with Company’s partners, vendors and other third parties (customers, suppliers, etc.).
N-iX management is also committed to establishing compliance with the applicable Information Security policies, regulations, and applicable laws to ensure the confidentiality, integrity, and availability of the relevant information assets of the Company and its clients.
N-iX commits to establish, implement, operate, maintain and continually improve the Information Security framework, in accordance with industry best practices and any legal, regulatory, and contractual requirements.
The following information security principles provide overarching governance for the security and management of information at N-iX:
N-iX classifies its information assets into categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access. To assist in the appropriate handling of information, a sensitivity classification hierarchy is used throughout N-iX operations. This hierarchy provides a shorthand way of referring to sensitivity, and can be used to simplify information security decisions and minimize information security costs. Such an approach also provides consistent handling of the information, no matter what form it takes, where it goes, or who possesses it. For this reason, all Users have to maintain the labels reflecting sensitivity classification categories of data. For more information please refer to Data Classification Policy.
N-iX allows the use of Company assets primarily for business purposes. Users are expected to use the Internet responsibly and productively. Business activities also include research and educational tasks that may be found via the Internet. However personal use of Company assets is permitted if such use does not:
Further, at all times Users are responsible for the professional, ethical and lawful use of the Company assets. If a User is unsure about what constitutes acceptable use, then the User should consult his/her team lead or Information Security staff for further guidance and clarification.
The network is the property of N-iX and is to be used for legitimate business purposes. Users are provided access to the computer network and internet to assist them in the performance of their activities. Abuse of the computer network or the Internet may result in disciplinary action, up to termination, and civil and/or criminal liability.
To ensure security, to avoid the spread of viruses and malware Users may only access the internet through a computer or device attached to the Company's network and approved firewall or other security devices. Bypassing N-iX's computer and network security is strictly prohibited.
N-iX uses a variety of standard products to enable the Company to maintain business continuity as well as a stable and secure network environment. These products include software and hardware for virus protection and for keeping network traffic levels and server disk usage under regular scrutiny. Filtering products are also in place. These products access data transmitted through N-iX’s Electronic Mail System and generate log files in order to protect the security, integrity, and continuity of N-iX systems, processes, and business.
Each User must be assigned their own unique user ID to access Company assets. This user ID follows an individual as they move through N-iX. It must be permanently decommissioned when a User leaves N-iX. Re-use of user IDs is not permitted. Every User ID and related password is intended for the exclusive use of a specific individual.
Logging is an essential component for security, performance, and compliance monitoring purposes. Therefore N-iX may monitor, inspect, copy, review, and store any files, information, software, and other content created, sent, received, downloaded, uploaded, accessed, or stored through the company's Electronic Mail System and information systems.
Files obtained from sources outside Company, including files brought from home, files downloaded from the Internet, files attached to an email, and files provided by N-iX’s clients, or vendors, may contain dangerous malware that may damage Company's network.
Users should never download files from the Internet, accept email or chat attachments from outsiders, or use disks from non-company sources, without first scanning the material with Company-approved virus checking software. If users suspect that malware has been introduced into the Company's network, users must notify the Network Administrators/Information Security immediately. Company has the right to utilize hardware and software that makes it possible to identify, block and delete emails and content containing malware.
In pursuit of continuous improvement N-iX has developed Information Security Objectives, consistent with the Information Security Policy:
Information Security Policy shall be clearly understandable, communicated, and shared within N-iX via the official Company portal as well as it is available to interested parties.
To improve the security and confidentiality of information, N-iX has adopted a Clean Screen and Desk Policy, which is also an important security and privacy control necessary for ISO 27001 compliance. This ensures that all sensitive and confidential information, whether it be on paper, a storage device, or a hardware device, is properly locked away or disposed of when a workstation is not in use. This policy shall reduce the risk of unauthorized access, loss of, and damage to information during and outside of normal business hours or when workstations are left unattended. For more information please refer to Clean Screen and Desk Policy.
The Internet and other public networks are not protected from wiretapping by default. In all but a few rare instances, if information is to be protected, then the User must take specific action to enable encryption facilities. Users who employ cellular or mobile phones must not store or discuss sensitive information unless they have taken steps to encrypt the information. Video conferences must not involve discussion of sensitive information unless encryption facilities are known to be enabled. Whenever sensitive information is sent over a public computer network like the Internet, encryption methods authorized by the System Administration Department must be used to protect it.
Whenever confidential information is stored in a computer, this storage must be with similar authorized encryption methods. As a general approach at N-iX:
Remote access to N-iX computers must be granted only to those Users who have a demonstrable business need for such access. Permission to remote access is granted by the IT Department.
All security requirements contained in this Policy apply at remote locations. Sensitive information stored on computing devices or on paper must be kept in a secure manner. All portable and remote computers that are under the control of Users and that are used to process Company’s business information must be protected with appropriate access control packages approved by the IT Department. These access control packages must prevent unauthorized use of the workstations and unauthorized access to N-iX information. The access control packages must prevent virus infections and other types of damage from malicious software.
Travelers are often the target of theft. When traveling Users must employ anti-theft techniques. Store equipment in a secure area such as a locked room or auto trunk. Users must also be careful not to discuss sensitive information when in public places like hotel lobbies, restaurants, and elevators. Viewing sensitive information on a computer screen or hardcopy report is prohibited when a user is in a public place such as seated on an airplane. Users must be careful not to provide sensitive information in voice mail messages or pager messages.
N-iX shall implement effective systems and procedures to ensure that emails are used as an efficient mode of business communication and implement control procedures so that the email facility is not misused by the Users. It also needs to be ensured that email service and operations remain secure, efficient while communicating within intranet as well as through the internet.
Changes to N-iX information technology facilities and systems should be controlled in order to ensure that changes made to a production component are applied in a secure and consistent manner. For more details please refer to Change Management Policy.
Company’s vendors shall abide by this Policy, or otherwise be able to demonstrate corporate security policies providing equivalent technical and organizational security measures. This is applicable:
Where N-iX uses cloud services, it retains responsibility as the data controller for any data it puts into the service, and can be fined for a data breach, even if this is the fault of the cloud service provider. N-iX also bears responsibility for contacting the supervisory authority concerning any breach of its data, as well as any affected individual. N-iX must therefore be able to judge the appropriateness of a cloud service provider’s information security provision. This shall lead to the following stipulations:
Where data needs to be erased, such data will be erased using tools that overwrite the data several times. All electronic storage media are sanitized when it is no longer necessary for business use, provided that the sanitization does not conflict with regulatory requirements. All data including all files and licensed software are removed from equipment using disk sanitizing software that cleans the media, overwriting each and every disk sector of the machine with zero-filled blocks.
Compliance with this Policy is mandatory and all breaches will be investigated. Activities related to the use of information assets and information processing facilities will be monitored to ensure that the Company's requirements for confidentiality, integrity, and availability are maintained.
Users must report every known non-compliance with any requirement of this Policy to mail InformationSecurity@n-ix.com.
This document will be officially monitored for compliance and may include random and scheduled checks.
All initiatives require the participation of Team Members to be successful.
Any Team Member / Vendor found to have violated this document may be subject to disciplinary action, up to and including services termination. All violations of the policy will be recorded and monitored.