General Security Policy
The General security policy is a document that describes rules, expectations, and overall approach that CargoX uses to maintain data integrity, confidentiality, consistency, security, and availability of private, personal and other information that CargoX stores or manages.
It describes, in general terms, what is specifically covered by internal policies and regulations regarding security and data consistency inside CargoX.
Information security policy
One of the key aspects of a company working in the fintech sector is to adhere to the high level of security expectations of its customers and partners and justify their trust in the company and the platform it offers. Information systems and information within are one of the cornerstones of CargoX's daily operations and an important segment of CargoX’s work with its clients and partners.
The General Security Policy and all related information security policies have the approval of management and the CEO and are effective throughout the company.
The General Security Policy describes how CargoX interacts and what is its attitude towards the information it manages. This document and related policies include the commitment of CargoX to fulfil information security goals for the data that CargoX manages (either as a “GDPR processor”, “GDPR controller” or other). CargoX keeps these policies current and up-to-date by reviewing them periodically, and when larger shifts in industry trends are detected.
The General Security Policy and other documentation of ISMS incorporate the requirements and recommendations of ISO/IEC 27001:2022.
CargoX is aware that all information it manages represents a certain value and as a whole can be labelled as “Information Wealth”. CargoX acknowledges that to achieve the trust of its clients and partners, this Information Wealth needs to be safe, secure, reliable, and available in line with access control permissions.
CargoX realises that security is an ongoing process of continuous improvements. As such it has internal guidelines and policies ensuring that the users of its information systems are continuously educated about information security management, new security approaches and threats. CargoX ensures that all of its employees and contractors are security-conscious when using CargoX infrastructure and that they meticulously apply the information security policies of the company in their day-to-day work.
The main purpose of the General Security policy is to inform the broader interested audience about how CargoX manages information security. Its purpose as well is to explain that information, managed by CargoX, is confidential, available, and consistent.
CargoX information security is compliant with ISO/IEC 27001:2022.
The goal of information security, Information Security Management System (“ISMS”, also “SUVI” in Slovenian), and, consequently, all the security policies implemented within CargoX is to:
Ensure alignment with related laws and regulations (e.g. such as GDPR);
Ensure uninterrupted service availability, business continuity, and disaster recovery in case of larger incidents and unexpected events;
Ensure proper reporting channels for security events and incidents;
Ensure swift and proper response to security incidents;
Improve the security and safety of all information managed by CargoX;
Increase security awareness of all employees, contractors, partners, and clients;
Assign proper security roles inside the company and within specific departments;
Ensure compliance with legal and contractual obligations;
Maintaining CargoX’s ability to adapt to business needs;
Protect the good name of CargoX;
Gain, maintain and protect the trust of CargoX’s clients and partners;
Reduce risk related to security.
Goals and benchmarks
To ensure that security policies are properly implemented, CargoX has set the following goals and benchmarks:
Increase company information security.
This goal is monitored through benchmarks such as:
Number of reported security events and incidents
Number of new security projects implemented
Number of trainings executed
Number of internal and external audits
Include information security verification in every project.
The goal is monitored by verifying the project output documents (e.g. project management plan (PMP), project initiation documents (PID), project requirements documents (PRD), and technical requirements documents (TRD)) contain references to security checks and considerations.
All individuals, legal and natural persons, including employees, contractors, partners, and clients of CargoX are responsible for establishing, maintaining and implementing proper security precautions.
CargoX ensures that its employees and subcontractors (“Workers”) are aware of all used security controls, policies, and procedures before starting to work. All Workers need to go through mandatory Security training. All Workers need to sign NDA (Non-Disclosure Agreement), or a similar document, and DPA (Data Processing Agreement) if they need to access any personal data. CargoX executes regular security trainings for its Workers.
Security is not a one-person or a department job. All Workers are responsible for executing the given security policies.
All Workers of CargoX are obligated to report all security events and incidents (deviations from normal). A report needs to be executed as defined by internal standard operating procedures.
Reports need to be made in the event of
Information security events and incidents;
Deficiencies or any suspected deficiencies in information security, as well as any threats to systems or services;
Malfunctioning of software or hardware.
Each notification of a suspected breach of the security policies is treated separately. During the investigation, the assigned access rights, competencies, or authorizations may be withdrawn to Workers, partners, or clients. Incidents are investigated by a person or group of persons working within the company designated by management.
In the event of breaches of security policies, action shall be taken in accordance with the law and the rules prescribed in the security policy. External contractors shall be dealt with in accordance with the signed contract.
The management of CargoX d.o.o. is represented by the company's Chief Executive Officer (“CEO”). The CEO is responsible for the company's procurement, together with the management and the heads of the departments for each segment:
Material resources and infrastructure;
An appropriate working environment.
ISMS is part of ISO/IEC 27001:2022. By implementing ISMS, the management of CargoX commits to:
verify the efficiency and effectiveness of ISMS based on the results of risk assessment, internal audits and management reviews;
continuously update and train its Workers in security;
ensure sufficient resources and conditions to execute security policies, as defined by ISMS;
create, align and execute the company’s vision, mission, strategic goals and internal and external policies;
execute and commit to comply with all relevant local and international laws and regulations;
foster attitude towards clients, employees, contractors, partners, and the environment by leading by example.
At least once a year, management reviews the performance of the ISMS through an internal audit.
Managing the ISMS
The General Security Policy and other security policies (standards, procedures, plans, etc.) are approved by the management of CargoX. The management has created the Security forum inside CargoX, which is responsible for managing and maintaining the ISMS. Members of the Security forum are selected by the management.
The roles and responsibilities of the Security forum are as follows:
Ensuring that activities around information security are carried out in accordance with the adopted security policies,
Ensuring that non-conformities are properly addressed,
Reviewing and tracking of security events and incidents;
Executing triaging, conducting an investigation of security incidents and other related events which may affect security,
Ensuring that all Workers are properly included in the process of information security;
Raising and planning initiatives to increase information security, including care for education, awareness and training regarding the protection of information in the company;
Reviewing and maintaining the risk register, along with ensuring that proper controls for mitigating such risks are in place;
Tracking and reviewing security bulletins and other important changes in the use and maintenance of information security assets;
Preparing, maintaining and implementing the information security policies, security standards, and security guidelines in the company,
Making decisions on the implementation of security measures (corrective and preventive),
Verifying the execution of information security policies,
Monitoring the responses of interested parties, which also include requests that do not arise from the SUVI,
Improving the SUVI (e.g. through review of implemented corrective and preventive measures),
Aligning the topics above with the management and presenting the results.
In particular, by continuously improving ISMS within the framework of these objectives, CargoX aims to:
Ensure the competitive availability of CargoX’s services;
Protect the confidentiality and integrity of customers' information;
Ensure the orderliness and traceability of processes and continuously improve their efficiency;
Ensure transparency and validation of the adequacy of operations from authorised institutions;
Achieve a highly recognised level of information security and thus the public image of the company;
Reduce the likelihood of incidents with financial consequences for the company.
In line with these objectives, CargoX has established and maintains a General Security Policy and other related security policies. It implements an Information Security Management System (ISMS), which includes procedures, guidelines, responsibilities, and measures to achieve information security in the organisation. The ISMS enables the organisation to take a systematic approach to managing risk and ensuring information security in all its activities.
Legal Basis and Regulatory Compliance
The current legislation of the Republic of Slovenia, the ISO/IEC 27001:2022 standard, General Data Protection Regulation (GDPR), and best practices in the field of information security, which do not conflict with legislation, are taken into account when writing security policies, regulations, instructions, statements, and procedures.
© CargoX (November 2023)