Skip to content

Latest commit

 

History

History
109 lines (64 loc) · 6.54 KB

information-security.md

File metadata and controls

109 lines (64 loc) · 6.54 KB

Information security policy

Monta ApS
Strandboulevarden 122, 2100 Copenhagen, Denmark
Email: [email protected]
Company registration number: 41668385

Overview

Monta processes large amounts of information, including both internal, confidential, critical and personal data. It is Monta's responsibility that this processing complies with applicable legislation and authority requirements for information security.

This Policy is made within the framework of Monta's overall strategy, and taking into account our business values; trust and transparency. This Policy must therefore contribute to complying with applicable laws, policies and similar obligations while at the same time ensuring that information is used to achieve the company’s business goals.

Monta's Information Security Policy has been drafted based on the principles of ISO-27001, which is an international security standard. Our objectives for our information security and pursuing an ISO-27001 certification are: improved value proposition to enterprise customers, protecting stakeholders, maturing our tech stack and obtaining additional brand value.

Purpose


The overall purpose of this Policy is to ensure the confidentiality, availability, and integrity of all information and information assets belonging to Monta and its stakeholders (third parties, clients or customers and the general public), including

  • to establish a general approach to information security.
  • to build an overall framework (management system) for handling information security in different areas of the organisation.
  • to detect and mitigate the compromise of information security such as misuse of data, networks, computer systems, and applications.
  • to protect the reputation of the company with respect to its ethical and legal responsibilities.

Scope


This Policy applies to our processing, use and storage of information no matter the media, including on computer equipment, software, operating systems, storage media, network resources and network accounts providing electronic mail, online browsing, and file transfer protocols (collectively, “Monta Systems”) to conduct Monta business or interact with internal networks and business systems, whether owned or leased by Monta, the employee, or a third party.

This Policy applies to all directors, officers and employees of Monta, as well as third-party contractors and agents of Monta that have access to information or Monta Systems owned or leased by Monta (collectively “Authorised Users”).

Policy


Monta requires all Authorised Users to exercise a duty of care in relation to the operation and use of the Monta Systems.

Acceptable use

Use of the Monta’s Systems by Authorised Users will be lawful, honest and decent. Authorised Users are obliged by acceptable use principles and policies as part of their contracts with Monta.

Information must not be copied or transported outside the Monta Systems without consideration of:

  • the classification of the specific information as defined in Monta’s Information Classification Policy
  • permission from the information owner  
  • the risks associated with loss or falling into the wrong hands 
  • how the information will be shared with externals

Monta accept that employees are working from home or in other locations outside the office, however, to retain adequate information security this is regulated by the Remote Working Policy.

Cyber Security

Monta is addressing the threat of cyber-attacks both through our technical setup and through behavioral and technical guidelines for all Authorised Users.

Personal Information

Authorised Users of Information Systems are not given rights of privacy in relation to their use of Information Systems. Duly authorised users may access or monitor personal data contained in any Information System (mailboxes, web access logs, file-store etc) but always subject to Montas Privacy Policy and GDPR Policy.

Information Security Board

Monta has established an Information Security Board, which is led by the VP Operational Excellence & Governance. The responsibility of the Information Security Board is to implement information security measures and ensure proper compliance with the same. The Information Security Board has created a monitoring overview with both ongoing monitoring as well as bi-annual reviews.

Related standards, policies and processes

This Information Security Policy sets out the overall standards for Monta’s information security, which is regulated in further detail in the relevant policies listed below:

  • IT Policy
  • Office Security Policy
  • Secure Password Policy
  • Remote Working Policy
  • Information Classification Policy
  • Business Continuity Policy
  • Privacy Policy
  • GDPR Policy

These policies can be shared upon request on a private and confidential basis with third parties having a legitimate interest.

Publication of the policy

This Information Security Policy is publically available on www.monta.com, and can always be referred to or shared upon request.

Compliance with the policy

The Information Security Board will monitor compliance with this Policy using various methods, such as business tool reports, internal and external audits, and any feedback provided to Monta management.

Exceptions

Any exception to this Policy must be approved by the Monta Information Security Board in advance.

Non-Compliance

All Authorised Users are required to adhere to this Policy. Failure to comply may result in different disciplinary actions depending on the severity of the breach set out in the Information Security Handbook.

Responsibility for this policy & revision


Monta Management has overall responsibility for the effective operation of this Policy but has delegated day-to-day responsibility for overseeing its implementation and maintenance to the Information Security Board.

All managers have a specific responsibility to operate within the boundaries of this Policy, take effective steps so that all employees understand the standards of behavior expected of them, and to take action when behavior falls below its requirements.

The Policy shall be reviewed on a bi-annual basis by the Information Security Board. Further, it shall be reviewed, and eventual edits shall be approved, by Monta Management once per year in February.

Effective Date: 15 February 2024