Management System Policy for Information Security

The organization aims to preserving its own interests and those of its Customers, paying particular attention to the aspects of:

• Legal requirements
• Service level
• Business continuity
• Confidentiality, integrity and availability of information

To this end, Top Consult aims to achieve information security by:

• using good practices to protect the organization’s information resources from threats to the security of internal or external information, either intentional or accidental
• aligning information security management with the organization’s strategic risk management context
• setting information security objectives and establishing direction and principles for action
• establishing criteria for risk assessment and risk acceptance
• controlling access to information resources based on business and security needs
• protecting information and physical media in transit
• protecting the information associated with the interconnection of corporate information systems
• applying guarantees for sharing information
• observing the clean desk policy for documents and removable storage media
• observing the clean screen policy for information processing services
• implementing appropriate security measures for mobile computing and communications
• using appropriate cryptographic controls to protect information
• ensuring protection, durability and correct use of cryptographic keys throughout their life cycle
• establishing rules for the development of software and systems and the application of these rules to developments within the organization
• ensuring the protection of the organization’s assets that are accessible by suppliers
• prohibiting the use of unauthorized software and respecting intellectual property rights laws
• protecting organizational and privacy data
• preparing backup copies of information, software and system images and regularly testing them
• keeping records for an appropriate period before disposing of them carefully
• applying disciplinary actions and discouraging improper use of information services by staff
• respecting the applicable information security requirements, including the requirements set out by ISO / IEC 27001: 2013
• reviewing the effectiveness of the ISMS at regular intervals
• continuously improving the ISMS.

The Information Security Management System ensures that business continuity management, backup procedures, malware protection, access to systems and information management and incident management are effectively implemented and adequately supported by specific and documented policies and procedures.

The information security requirements are continuously aligned with the strategic business objectives of the company and ensure that the information is shared and usable while maintaining the risk that this entails at a still acceptable level.

The Management supports information security through a clear direction, an outstanding commitment, explicit assignments and recognition of responsibilities.

All staff contribute, each with their own competence and professionalism, to the effectiveness of the Information Security Management System and its compliance with this policy.

The Information Security Management System is subject to systematic review and improvement.

Pier Luigi Zaffagnini CEO