Table of contents
This policy defines and communicates the information security criteria, means, methods, and measures to protect memoQ’s information assets and those of our clients from the breach of confidentiality, integrity, and availability with respect to memoQ’s information security management system (hereinafter referred to as ISMS) as required by ISO/IEC 27001:2017 International Standard (hereinafter referred to as ISO 27001).
As a forward-thinking organization, at senior levels, memoQ recognizes the need to ensure the confidentiality, integrity, and availability of its information assets, which ensure that the organization’s operations remain uninterrupted for the benefit of its customers as well suppliers.
To provide the expected level of continuous operations, memoQ has implemented an ISMS based on ISO 27001. This standard defines the requirements for an ISMS based on international best practices. memoQ has decided to maintain a certification to ISO 27001, so that independent third parties—authorized certification bodies—can always validate the effective adoption of information security best practices.
This policy applies to all users, staff and authorized third parties who do business or communicate with memoQ.
memoQ established a management framework to plan, implement, and control the framework and operation of information security within the organization. The table below lists the roles in the company that directly relate to, and are responsible for, information security.
|Information Security Governance Team
|The ISGT defines information security strategy and policies for memoQ. The chair of the ISGT is responsible for operating the ISGT itself but is not involved in running the information security operations. The ISGT chair must make sure that the monthly ISGT oversight meetings happen and are properly documented.
|Chief Information Security Officer (CISO)
|Assumes high-level responsibility for information security across memoQ. For the purposes of the standard, this is the Chief Information Security Officer position. Responsible for managing, maintaining, monitoring, and reporting on the effectiveness of the ISMS to the ISGT.
|Responsible for the ethics, compliance, and legal policies, procedures, and training (in short: the effective compliance program) that relate to appropriate data access, maintenance of confidentiality and data integrity, and information governance.
|Internal Information Security Auditor (IISA)
|Provides independent oversight over the operation of the ISMS.
|Services & IT Team (SEIT)
|Responsible for monitoring and assessing technical security controls, as well configuring services and systems.
|Users, third parties
|Responsible for adhering to the ISMS requirements.
memoQ developes, maintains and manages an information security awareness program, so that users of the memoQ data infrastructure receive adequate training and security awareness guidance. Security awareness techniques can include, for example, generating email advisories/notices, displaying logon screen messages, and conducting information security awareness events.
Mandatory cybersecurity training is provided at least once a year for all stakeholders who receive access to the memoQ data infrastructure. The content must include a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents.
Role-based security training may be provided to certain stakeholders with assigned security roles and responsibilities. memoQ periodically conducts simulations or walkthroughs of a cyber-attack, so that individuals responsible for identifying and managing Security Incidents receive proper training.
memoQ has a documented asset management procedure and maintains an asset inventory, which is accurate, up to date and aligned with other inventories. In addition, memoQ has a documented Acceptable Use Policy. memoQ’s offboarding process includes the return of all previously issued physical and electronic assets owned by memoQ.
memoQ established an information classification and labeling scheme to ensure that every item of information receives the level of protection that is appropriate for its importance to memoQ.
memoQ maintains a documented onboarding and offboarding procedure, which includes a formal user registration and de-registration process to enable assignment (or revocation) of access rights, unique IDs for all users, a periodic review of access rights with owners of the information systems or services, restrictions and control of privileged access rights by management, an authorization process to allocate and control privileged access rights, quarterly review of privileged access, password requirements (such as minimum length, complexity, periodicity to change, password history), and encrypted passwords in store and transmit.
Access to memoQ data is exclusively granted to individuals who have a legitimate need (need-to-know principle) and in line with the principle of least sufficient privilege. Every item of memoQ data is available exclusively to users who are authorized based on their job role. memoQ established, maintains, and follows process to revoke user access when the user’s employment or other contractual relationship terminates, expires, or otherwise ends.
memoQ established a proper and effective use of cryptography to protect the confidentiality, authenticity, and integrity of information. Cryptography requirements are described in a policy on the use of cryptographic controls, and key management.
memoQ enforces well-defined security perimeters to protect the organization’s sensitive or critical information and information processing facilities. As part of this enforcement, memoQ has restricted access to its sites and buildings to authorized personnel and implemented physical barriers where applicable, to prevent unauthorized physical access and environmental contamination. Access to areas where confidential information is processed or stored is restricted to authorized individuals only. memoQ developed and implemented a clear desk and clear screen policy.
Administrative privileges are limited to users who have both the necessary knowledge and business need to perform administrative activities. memoQ uses system-specific configuration management tools (such as Active Directory Group Policy for Microsoft Windows environments) that automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. Automated tools are deployed to continuously monitor workstations and servers.
There is a change management process and procedure to manage and control changes to production applications and infrastructure. Application changes are tested by the Services & IT Team prior to implementation. Standard secure operating system configurations are established and used.
Anti-malware software is deployed on all endpoints within the organization. Separate environments are maintained for production and non-production systems. Devices are configured to log access control events associated with a user attempting to access a resource (e.g., a file or directory) without the appropriate permissions. Failed logon attempts are also logged.
Data in backup storage are tested on a regular basis by performing a data restoration process to ensure that the backup procedure is working properly. Key personnel in the Services & IT Team are trained on both backup and restoration processes.
memoQ has a firewall protection for all systems and internet connectivity; VPN and/or encryption for sensitive information that would otherwise pass over public networks. Multi-factor authentication is also enforced for all user accounts.
Network perimeters are designed and implemented so that all outgoing traffic to the Internet must pass through at least one firewall or proxy. An internal network segmentation scheme has been implemented to limit traffic to only those services needed for business use across memoQ’s internal network. Synchronized time sources are used (e.g., Network Time Protocol: NTP) from which all servers and network equipment retrieve authoritative time information on a regular basis to ensure that timestamps in logs are consistent. Network boundary devices (including firewalls, inbound and outbound proxies) are configured to log traffic.
As part of memoQ’s information security requirements, memoQ’s development life cycle includes the information security requirements for new information systems or enhancement of existing information systems. It applies formal change control processes to all changes to systems within the development life cycle, maintains version control for all software updates, and restricts and controls modifications to software packages by limiting them to necessary changes only. Prior to deployment, internally developed application software is tested for coding errors and vulnerabilities. All source code is centrally managed and retained in a source code repository.
memoQ maintains a supplier information security policy to mitigate and document the risks associated with supplier’s access to the organization’s assets. All relevant information security requirements are established and agreed with each supplier that may access, process, store, communicate memoQ’s data or provide IT infrastructure for these data. Agreements with suppliers include requirements to address the information security risks associated with information and communications technology services and product supply chain.
memoQ regularly monitors, reviews, and audits its suppliers’ service delivery and information security attitude and compliance. memoQ enforces supervision of changes to the provision of services by suppliers, taking into account of the importance of business information, systems and processes involved. Any such change implies the re-assessment of all associated risks.
memoQ’s information security incident response plan includes methods for the analysis of events and the criteria for determining if the event should be escalated to become an incident. The procedure includes roles and responsibilities for personnel and requirements for internal (e.g. Compliance, Communications, Legal, Executive Team) and external (e.g. Law Enforcement, Customer) notifications. There is also a procedure, made known to all memoQ personnel, dealing with the mechanisms for identifying and reporting an information security incident, with this information being included in the routine security awareness training as well.
The knowledge that memoQ gains from analyzing and resolving information security incidents is used to reduce the likelihood or impact of future incidents. memoQ defines and applies procedures for the identification, collection, acquisition, and preservation of information that may serve as evidence.
Information security has been embedded in memoQ’s business continuity management processes. The organization determined its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. memoQ established, documented, implemented and maintains processes and controls to ensure the required level of continuity for information security (e.g. logging, access control) during an adverse situation. memoQ regularly conducts business continuity tests that cover the testing of information security requirements as well.
memoQ maintains a list of applicable legislative, statutory, regulatory, and contractual requirements required by the organization. memoQ has an annual independent review of information security and regular technical compliance reviews.