Appendix 3.1

Information Security Policy

Introduction

This documents describes Worklife Barometer’s Information Security Policy, and the document “Manual on Information Security Policy for Worklife Barometer” describes how the Security Policy is implemented.

The purpose of the Security Policy is to indicate to all employees and extern business partners that the use of information and information systems is subject to standards and guidelines. Particularly to be noticed is that Worklife Barometer’s core product Howdy is subject to the strictest requirements from the Danish Data Protection Agency, as personal information is being processed.

Worklife Barometer therefore wishes to maintain and continuously expand an IT security level that oblige to the legislation at any given time, as well as specific relations emphasised by the Data Protection Agency (up until 25thMay 2018) and as regulated under the General Data Protection Regulation after 25thMay 2018 (GDPR). To guarantee this, Worklife Barometer is cooperating with the company’s legal adviser, currently the legal company Lundgrens.

Maintenance and development of a high security level is an essential prerequisite for Worklife Barometer to achieve credibility.

To maintain Worklife Barometers credibility it must be ensured that information is being processed with the required confidentiality and that complete, accurate and timely processing of approved transactions take place.

IT-systems are considered to be Worklife Barometer’s most critical resource. The focus is therefore on operation, security, quality, compliance with the law and that the systems are user-friendly, without unnecessarily difficult security arrangements.

An effective safeguard against IT-security threats must be installed, so that Worklife Barometer’s image and the employees’ safety and work conditions are secured in the best possible way. The protection must tackle natural as well as technical and human-induced threats. All persons are considered as being possible reasons for a breach of security; meaning that no group of people will be above the security regulations.

The objectives are therefore to:

  • obtain a high level of security of operation with a high availability percentage and minimised risk of larger breakdowns and data loss. 
    e. AVAILABILITY
  • obtain correct function of the systems with a minimised risk of manipulations of and errors in data as well as systems. 
    e. INTEGRITY
  • obtain confidential processing, transmission and storage of data
    e. CONFIDENTIALITY
  • obtain a mutual security around the involved parties
    e. AUTHENTICITY
  • obtain a security for mutual and documentable contact
    e. INDISPUTABILITY

All Worklife Barometer’s employees are explicitly made aware of Worklife Barometer’s Information Security Policy and all Data processors (who are not processing IT Services) used by Worklife Barometer are informed of the company’s Information Security Policy through Data Processor Agreements and Service Level Agreements (SLAs) (where necessary).

Rules and guidelines from the Information Security Policy are continuously incorporated in the relevant applicable rules of the Staff Policy.

Extent

The security concept includes the following:

  • An Information Security Policy, which is approved by the management on the basis of recommendation from the committee for Information Security Policy.
  • Security instructions and procedures formulated by respective business-area-owners from requirements and guidelines described in “Manual on Information Security Policy for Worklife Barometer”

Area of Validity

The policy applies to all Worklife Barometer’s information related activities, whether these are performed by employees at Worklife Barometer or by Data processors used by Worklife Barometer.

Organization and Responsibility

The delegated security related responsibility and the connected authority for this policy is generically described/distributed into roles in “Manual on Information Security Policy for Worklife Barometer”.

Contingency Planning

Disasters are attempted to be avoided through a well-organised surveillance of the utilised IT services. The extent of these precautions is decided from an assessment of risk versus security costs and user-friendliness.

Worklife Barometer’s contingency plan includes the following areas:

  • Damage constricting initiatives
  • Establishment of temporary emergency solutions
  • Re-establishment of permanent solutions

The contingency plans must be continuously updated and tested – minimum once a year.

Sanctioning

Employees violating the applicable Information Security Regulations in Worklife Barometer can be disciplinarily sanctioned. The detailed regulations on this area is determined in agreement with the current Staff Policy.