Q: Is there an approved Information Security Policy that has been communicated to relevant stakeholders and assigned an owner for maintenance and review? If so, can you provide the policy and any applicable documents?
A: Yes, we have a set of Information Security policies that are maintained and regularly reviewed. These policies are hosted on GitLab, where they are accessible to all relevant team members, including developers and support staff, as part of their daily workflows.
While the policies themselves are not directly shareable, we can provide screenshots to demonstrate how they are displayed within GitLab. Let us know if you’d like us to share these for reference.
Q: Does your organization have a mobile device and teleworking policy that covers security best practices, including the physical environment, remote access (e.g., encryption requirements, restrictions, etc.), and malware protection for all employees and contractors? If so, can you provide the policy and any applicable documents?
A: While we do not have a formal written policy, all employees have been briefed on best practices for handling their devices. This includes the importance of using strong passwords, enabling two-factor authentication (2FA) across all platforms, and adhering to security guidelines to ensure a secure remote working environment.
Q: Are information security policies reviewed and updated at regular intervals (e.g., annually)?
A: Our approach to reviewing and updating information security policies varies depending on the policy type and significance of changes:
- For major policies, we conduct annual reviews to ensure they remain up to date with best practices and regulatory requirements.
- For policies impacted by substantial changes (such as new security threats, compliance requirements, or system updates), we update them immediately rather than waiting for an annual review.
- For minor updates, we typically incorporate them into the annual review process.
This flexible approach ensures that our security policies remain relevant while allowing for timely updates when necessary.
Q: Do you have a Data Privacy Officer (DPO) or equivalent role to oversee compliance with privacy laws?
A: While we do not have a dedicated full-time Data Privacy Officer (DPO), our management team regularly reviews compliance with privacy laws. Our approach includes:
- Periodic privacy law compliance reviews at the management level.
- Minimal collection of personal private information within our software, which simplifies compliance efforts.
- Strict data confidentiality policies for business information, ensuring that no customer data is ever shared with third parties under any circumstances.
