Information and Cyber Security Policy

Introduction

This Information and Cyber Security Policy (the “Policy”) contains rules and routines for the management of information security, cyber security, and privacy protection at Tendium, any related companies, employees, and other third parties involved in the organisation. Tendium shall inform all relevant stakeholders about essential alterations to this Policy and shall continuously work to improve stakeholder understanding and implementation of the requirements set forth in this Policy.

Goal

The overall goal of this Policy is to ensure that Tendium delivers secure and safe services to customers. Tendium shall continuously work to guarantee that Tendium employee’s and relevant stakeholders act in accordance with established internal and external routines to assure such delivery. 

In order to deliver, and keep delivering, safe services at all times, Tendium shall ensure the following:

  • Only authorised persons shall have access to information;
  • Information shall be accurate, complete, and available; 
  • Information, including information systems, shall be protected and secure;
  • Confidential and sensitive information shall be handled in accordance with the organisation’s internal policy to prevent disclosure at all times;
  • Personal data shall be collected, processed, stored, and shared only in ways that respect and safeguard the rights and integrity of individuals, and shall at all times be handled in accordance with the organisation’s external policies and internal routines; 
  • Access, changes, or creations of information shall be registered and traceable to individual users; and
  • In the event of any threats, unauthorised use, or other incidents that have an impact on the organisation’s (i) information; (ii) information systems; (iii) protection of privacy; and (iv) cyber security, the organisation’s goal shall be to quickly escalate such issues. The goal shall be to keep delivering the services and ensure the capability, provided that it’s possible and appropriate from a security perspective.

Risk Based Approach

Tendium adopts a risk based approach, and aims to optimise risks. For the purpose of risk optimisation and as part of Tendium’s security and privacy protection processes, Tendium carries out risk analysis that are integrated in the business operations, including any major changes within the organisation. Tendium analyses potential risks in regards to the cost of managing such a risk while identifying anticipated consequences. An overall assessment is made in order to take the optimal action from a business and security point of view.

Implementation

Tendium works with information security and data protection in line with ISO 270001 and are preparing for a certification of the same.

The relevant personnel responsible for Tendium’s security convene on a regular basis to provide updates, align priorities, and assess security strategies to ensure alignment with organisational objectives. Please refer to the list below for specific teams and their responsibilities.

Tendiums policies and guidelines within this area, supporting this policy, are available to all individuals within the Tendium organisation. Part of this documentation will also be accessible to external parties via Tendium’s Security and/or Legal Page, which is currently under development, and is available upon request for now. 

Tendium has an Incident Response Plan that outlines procedures to be followed in the event of incidents and breaches, such as cybersecurity incidents. This plan is an integral component of Tendium’s overall security framework and aligns with our compliance responsibilities under the General Data Protection Regulation (GDPR) and other applicable data protection and security legislation. It is designed to establish clear responsibilities and processes for effectively mitigating and managing potential data breaches and security incidents. It defines the steps to be taken to respond to and recover from security incidents that may impact the confidentiality, integrity, or availability of Tendium’s data and systems.

Responsibilities

The information security, cyber security, and data protection responsibilities are shared over the Tendium organisation and other relevant stakeholders. The specific responsibilities are as follows:

  • Tendium’s Information Security Team holds the main responsibility in Tendium’s work with information security. The Information Security Team shall lead the organisation on developing, maintaining, and updating security measures and processes.
  • Tendium’s Security Team (“C-team”) supports the Information Security Team with implementing information security processes and ensuring that guidelines and standards provided by the Information Security Team are met.
  • Tendium’s Legal Team are the leaders and the coordinators for protection of privacy within Tendium. The Legal Team is overall responsible for compliance with the General Data Protection Regulation (GDPR) (and other application data protection legislation) and supports the Tendium organisation on matters relating to this area. 
  • Tendium’s Incident Response Team is responsible for implementing the Incident Response Plan. The Incident Response Team includes representatives from the aforementioned teams, namely from IT, legal, management, and relevant business units. The team’s primary objective is to coordinate and execute incident response activities promptly and efficiently. 
  • All managers are responsible for the compliance with this policy and the specific processes and standards set out to ensure information security and data protection.

Reviewing

This policy shall at a minimum be reviewed annually, and updated as needed.