Epinion Information Security Policy

Epinion

Ryesgade 3F

2200 Copenhagen N

Denmark

T: +45 87309500

E: contact@epinionglobal.com

Introduction

The core of Epinion's business is data processing and analysis. Handling information and data correctly and in compliance with national and international regulation is what gives us our license to operate. Inability to do so will harm not only current business but also our brand and future business. Because of this, we regard information security as a matter of great importance. We rely on our customers' trust in us, and in our ability to handle data correctly. This document constitutes Epinion's Information Security Policy and overall Information Security Management System, and goals. In it we outline Epinion's commitment to information security, including the protection of data in our care. Being able to protect personal data collected from respondents, employees and partners is of vital interest of Epinion, and thus Information Security is of strategic interest and linked to the on-going success of Epinion.

Purpose

This Information Security Policy aims at defining the proper and secure use of Epinions IT-systems. Its goal is to protect Epinion and users to the maximum extent possible against security threats that could jeopardize confidentiality, integrity, availability, privacy, reputation and business outcomes.

Structure

To support the implementation of a Security aware organization, this Policy is supported by a Security Handbook, which in greater detail defines the specific Information Security controls, which furthermore is supported by operational procedures to enable a uniform day-to-day implementation of the Security controls, within Epinion.

Scope

This Information Security Policy, the handbook and procedures (“The Information Security framework”) applies to all the users in Epinion, including temporary users, visitors with temporary access to services and partners with limited or unlimited access to services. Compliance with policies in this document is mandatory.

Business and Security Goals

Epinions core business is based on working with and analyzing data of both sensitive and non-sensitive character. To maintain a high level of credibility with customers, respondents, partners and employees, Epinion is committed to create and maintain a balanced Information Security level, which is based on a thorough understanding of the opportunities and risks involved in working high volumes of data and based on this implementing a balanced Information Security framework which mitigates risks to an acceptable level and still enables the delivery of valuable data analysis and insight to Epinions customers. The key goals of Epinions Information Security framework are:

    • To create and maintain a risk model, which enables an understanding of the Risks towards Epinion and Epinions business
    • To create and maintain an effective and efficient Information Security framework based on ISO 27001/2, which adequately balances risks and possible safeguards, and thus supporting Epinions overall business strategy and model
    • Establish an organizational culture that ensures Information Security is embedded in activities and business processes, and not as an afterthought or add on
    • To support legal, statutory and contractual compliance with for instance EU-General Data Protection Regulation (Regulation (EU) 2016/679) and the supplementing Danish legislation (Databeskyttelseslov)

Responsibility and formal organization

To ensure a companywide adaptation and ongoing support of Information Security in Epinion, Epinion CMT is responsible for understanding the risks Epinion is facing and to ensure the continuous organizational implementation and maintenance of an adequate Information Security level. The individual manager/team leader is responsible for raising Information Security awareness levels and to ensure compliance with The Information Security Framework within his/her own group of personnel. The Head of IT is responsible for ensuring and maintaining an IT-infrastructure which both protects Epinion’s data and supports the ongoing operation of Epinion. The IT department in general share an obligation to keep the security standards high. Given their education and experience, they are expected to lead the way for the rest of the company on all security compliance matters. IT System owners are responsible for the security compliance on their system(s), including understanding an ensuring compliance with relevant laws. The individual employee is responsible for working within The Security Framework to protect Epinion and Epinions data to the best of their ability.

Risk assessment

Epinion CMT is overall responsible for risk management, and thus to ensure, that Epinions Information Security framework at all times meet the risks facing Epinion. Risk assessments must be conducted at least once a year or on major changes in Epinions way of doing business, data being analyzed, or IT-platform used. The assessment must be derived from:

    • an understanding of Epinions overall business processes, the systems used, and the data processed
    • how data flows between customers, Epinion and third parties

Outsourcing and Vendor Management

The risks in sharing information and/or system access to third parties (including outsourced business functions) must be assessed and reviewed at least annually. Third party vendors should be assessed as to their security policies and procedures, and the level of access they have to Epinion’s data and systems.

Incident Management and Business Continuity

Any security-related incident must be reported through Security Incident process and must be managed according to the Data Breach / Incident Response Plan of Epinion. The plan must cover technical, legal and administrative aspects of incident management, including any relevant regulatory requirements (data breach notification laws, for example) as well as compliance requirements. In case of major incidents, the Incident must be escalated to be handled within the Disaster Recovery / Business Continuity Plan. The CIO is accountable for ensuring the development and ongoing review of the Security Incident process and the Disaster Recovery / Business Continuity Plan.

Exceptions

Exceptions to The Information Security Framework may only be authorized by the Head of IT. Once every Quarter Epinion CMT must be oriented about all outstanding Exceptions and their current status.

Sanctions

Failure to comply with The Information Security Framework could harm Epinions business and reputation and furthermore relations with customers, public authorities and partners. Behaviour contrary to The Information Security Framework that could damage Epinions security or reputation will be taken very seriously and may result in instant dismissal and potentially a claim for damages. If any illegal activities are discovered, they will be reported to the management and the relevant authority.