The management of SOFTLINK s. r. o. (hereinafter referred to as the company) attaches great importance to securing the information entrusted to it and with which it deals. It perceives the protection of its own information and the information of its clients as a comprehensive and managed system of balanced measures aimed at adequately protecting all important assets. The primary priority is the protection of personal data of customers' clients processed by the company in accordance with the law on personal data protection.
The main task is to ensure the availability, integrity, and confidentiality of data. To protect its own and entrusted information, the company has built, maintains, and develops an information security management system (ISMS) in accordance with ČSN ISO/IEC 27001:2023. The information security management system is based on information security objectives and on identified and assessed risks.
The system further includes the determination of responsibilities and duties along with the creation and adherence to documented security policies and procedures. The system also sets the scope of risk assessment criteria and includes controls for compliance with established rules, defines legal, regulatory, and contractual requirements, staff training, and procedures for responding to security incidents.
Based on risk analysis, the company is committed to implementing security measures in the priority order given by the risk management plan and security requirements in the following areas:
- Organizational security, defining responsibilities and the scope of the security management system.
- Human resources security, ensuring that only authorized personnel, who are appropriately selected and aware of their responsibilities, have access to confidential information.
- Asset classification and management, determining how to identify and assess assets, classify information, and handle it. This area also addresses the "Risk Analysis" itself, including defining its structure and evaluation criteria.
- Access control, defining the protection and control of access to information, services, and processes.
- Cryptography to protect the confidentiality, authenticity, and integrity of information.
- Physical security and environmental security, preventing unauthorized access, damage, degradation, destruction, or other interventions into the information and the premises where the devices are located.
- Operational security, establishing procedures for the proper and secure operation of information processing resources and related services.
- Communications security, aiming to ensure the protection and security of communications during their creation, storage, and transmission within and outside the company.
- Acquisition, development, and maintenance of systems, defining security rules for system development and maintenance from the design, development, and testing phase through to actual operation and maintenance.
- Supplier relationships, which must also be managed with regard to the agreed level of information security and service provision concerning the information security system.
- Security incident management, establishing procedures for responding to violations of rules, security, and the resilience of the ISMS.
- Business continuity management, establishing a framework for prevention and crisis response through the implementation of continuity plans.
- Compliance assurance, detailing specific procedures to ensure that adopted measures comply with legislation and security technology requirements.
The company's management ensures that the information security policy:
- Aligns with the company's objectives,
- Includes a commitment to meet requirements and to continually improve the effectiveness of the system,
- Provides a framework for setting and reviewing security objectives,
- Is always accessible, communicated, and understood within the organization during staff training,
- Is regularly reviewed for continuous suitability through "Management Review," along with the quality management system.
Director of the company: Ing. Hynek Černý
Kralupy nad Vltavou, 20th April 2024
