General Security Policy
Introduction
The General security policy is a document that describes rules, expectations, and overall approach that CargoX uses to maintain data integrity, confidentiality, consistency, security, and availability of private, personal and other information that CargoX stores or manages.
It describes, in general terms, what is specifically covered by internal policies and regulations regarding security and data consistency inside CargoX.
CargoX is fully committed to following international best practices and security standards (such as ISO/IEC 27001:2022, ESG, PCI-DSS and similar) and our security policies reflect that.
Information security policy
One of the key aspects of a company working in the fintech sector is to adhere to the high level of security expectations of its customers and partners and justify their trust in the company and the platform it offers. Information systems and information within are one of the cornerstones of CargoX's daily operations and an important segment of CargoX’s work with its clients and partners.
The General Security Policy and all related information security policies have the approval of management and the CEO and are effective throughout the company.
The General Security Policy describes how CargoX interacts and its attitude towards the information it manages. This document and related policies include the commitment of CargoX to fulfil information security goals for the data that CargoX manages (either as a “GDPR processor”, “GDPR controller” or other). CargoX keeps these policies current and up-to-date by reviewing them periodically, and when larger shifts in industry trends are detected.
The General Security Policy and other documentation of ISMS incorporate the requirements and recommendations of ISO/IEC 27001:2022.
CargoX is aware that all information it manages represents a certain value and as a whole can be labelled as “Information Wealth”. CargoX acknowledges that to achieve the trust of its clients and partners, this Information Wealth needs to be safe, secure, reliable, and available in line with access control permissions.
CargoX realises that security is an ongoing process of continuous improvements. As such it has internal guidelines and policies ensuring that the users of its information systems are continuously educated about information security management, new security approaches and threats. CargoX ensures that all of its employees and contractors are security-conscious when using CargoX infrastructure and that they meticulously apply the information security policies of the company in their day-to-day work.
Purpose
The main purpose of the General Security policy is to inform the broader interested audience about how CargoX manages information security. Its purpose as well is to explain that information, managed by CargoX, is confidential, available, and consistent.
CargoX information security is compliant with ISO/IEC 27001:2022.
The goal of information security, Information Security Management System (“ISMS”, also “SUVI” in Slovenian), and, consequently, all the security policies implemented within CargoX is to:
Ensure alignment with related laws and regulations (e.g. such as GDPR);
Ensure uninterrupted service availability, business continuity, and disaster recovery in case of larger incidents and unexpected events;
Ensure proper reporting channels for security events and incidents;
Ensure swift and proper response to security incidents;
Improve the security and safety of all information managed by CargoX;
Increase security awareness of all employees, contractors, partners, and clients;
Assign proper security roles inside the company and within specific departments;
Ensure compliance with legal and contractual obligations;
Maintaining CargoX’s ability to adapt to business needs;
Protect the good name of CargoX;
Gain, maintain and protect the trust of CargoX’s clients and partners;
Reduce risk related to security.
Goals
To ensure that security policies are properly implemented, CargoX has set the following overarching goals:
Establishment of a Security Culture: Foster a company-wide culture that prioritizes and values security in all operations and decision-making processes.
Continuous Improvement of Security Measures: Implement a structured process for continual review and enhancement of security controls and procedures.
Compliance with Standards and Regulations: Ensure ongoing compliance with ISO/IEC 27001:2022 standards and relevant legal and regulatory requirements.
Risk Management and Mitigation: Maintain a proactive approach to identifying, assessing, and mitigating security risks.
Incident Response Readiness: Develop and maintain a robust incident response capability to minimize the impact of security incidents.
These goals are further defined, measured, benchmarked, and executed inside internal processes within the organization.
Responsibilities
All individuals, legal and natural persons, including employees, contractors, partners, and clients of CargoX are responsible for establishing, maintaining and implementing proper security precautions.
CargoX management has established the Security Forum which is the responsible body for the management and maintenance of the ISMS.
CargoX ensures that its employees and subcontractors (“Workers”) are aware of all used security controls, policies, and procedures before starting to work. All Workers need to go through mandatory Security training. All Workers need to sign NDA (Non-Disclosure Agreement), or a similar document, and DPA (Data Processing Agreement) if they need to access any personal data. CargoX executes regular security trainings for its Workers.
Security is not a one-person or a department job. All Workers are responsible for executing the given security policies.
All Workers of CargoX are obligated to report all security events and incidents (deviations from normal). A report needs to be executed as defined by internal standard operating procedures.
Reports need to be made in the event of
Information security events and incidents;
Deficiencies or any suspected deficiencies in information security, as well as any threats to systems or services;
Malfunctioning of software or hardware.
Each notification of a suspected breach of the security policies is treated separately. During the investigation, the assigned access rights, competencies, or authorizations may be withdrawn to Workers, partners, or clients. Incidents are investigated by a person or group of persons working within the company designated by management.
In the event of breaches of security policies, action shall be taken in accordance with the law and the rules prescribed in the security policy. External contractors shall be dealt with in accordance with the signed contract.
Management commitment
The management of CargoX d.o.o. is represented by the company's Chief Executive Officer (“CEO”). The CEO is responsible for the company's procurement, together with the management and the heads of the departments for each segment:
Financial resources;
Human resources;
Material resources and infrastructure;
Information resources;
An appropriate working environment.
ISMS is part of ISO/IEC 27001:2022. By implementing ISMS, the management of CargoX commits to:
verify the efficiency and effectiveness of ISMS based on the results of risk assessment, internal audits and management reviews;
continuously update and train its Workers in security;
ensure sufficient resources and conditions to execute security policies, as defined by ISMS;
create, align and execute the company’s vision, mission, strategic goals and internal and external policies;
execute and commit to comply with all relevant local and international laws and regulations;
foster attitude towards clients, employees, contractors, partners, and the environment by leading by example.
At least once a year, management reviews the performance of the ISMS through an internal audit.
Managing the ISMS
CargoX has established and maintains a General Security Policy and other related security policies. The General Security Policy and other security policies (standards, procedures, plans, etc.) are approved by the management of CargoX.
The management has created the Security Forum inside CargoX, which is responsible for managing and maintaining the ISMS. It implements an Information Security Management System (ISMS), which includes procedures, guidelines, responsibilities, and measures to achieve information security in the organisation. The ISMS enables the organisation to take a systematic approach to managing risk and ensuring information security in all its activities.
Legal Basis and Regulatory Compliance
The current legislation of the Republic of Slovenia, the ISO/IEC 27001:2022 standard, General Data Protection Regulation (GDPR), and best practices in the field of information security, which do not conflict with legislation, are taken into account when writing security policies, regulations, instructions, statements, and procedures.