Gofore Information Security Policy

Version 1.2

TABLE OF CONTENTS

  1. Our information security commitment
  2. Our information security principles
  3. Our information security approach

Every Gofore employee and contractor is obligated to read and comply with this Information Security Policy.

1. Our information security commitment

This information security policy underlines Gofore’s commitment to information security principles and recommended practices in dealing with employees, contractors, customers and suppliers.

Gofore’s business, as a digitalisation consulting company, is largely based upon the trust of clients, partners and other stakeholders. Information security is central to the preservation and assurance of this trust.

The confidentiality, integrity and availability of information, in all its forms, are critical to the on-going functioning and good governance of Gofore and its business interests. Every effort is made to ensure information security is effective and aligned with business goals and objectives, as well as compliance with applicable law and regulation.

It is essential that information security is an integrated characteristic of Gofore. We continuously improve our information security management system by setting information security objectives derived from our information security principles and we review them on at regular intervals. Gofore cultivates a security culture whereby security awareness part of business-as-usual and employees take responsibility for security in their conduct and responsibilities.

In our best interests, and in yours, everyone at Gofore takes security seriously. Security is everyone’s responsibility.

2. Our information security principles

  1. The Gofore management team is committed to its overarching ownership of and responsibility for the information security management system.
  2. Information security risks are appraised and managed to ensure business continuity.
  3. Security policies and associated compliance expectations are communicated to employees and contractors in security on-boarding and employment contracts, and to customers and suppliers in framework agreements and contracts.
  4. Access to systems and to information is based on the security principle of information confidentiality and the need to know.
  5. Information is classified and handled according to appropriate security levels and personal data is processed according to the General Data Protection Regulation.
  6. Security is built into the design, development and acquisition of digital services, supported by secure development guidelines.
  7. Information networks are segregated, protected, monitored and managed in accordance with network security recommended practices.
  8. Security incidents are reported and handled in accordance with incident response recommended practices.
  9. Security training and a culture of security awareness are facilitated and fostered for employees and contractors.
  10. Every employee and contractor understand their duty to be security aware and to behave accordingly.

3. Our information security approach

In Gofore, information security is an integrated business-as-usual aspect of digital consulting and this determines our information security policy. As stated in our commitment, everyone takes responsibility for security in their role and conduct.

The Chief Executive Officer (CEO) is ultimately accountable for ensuring Gofore incorporates information security into corporate governance and business continuity.

The Executive Management Team is responsible for ensuring information security implementation is aligned with company strategy.

The Chief Information Security Officer (CISO) is responsible for information security awareness and for employee compliance with information security policies, procedures and guidelines. The Security Team and business function stakeholders support the CISO.

The Security Team are responsible for supporting the CISO in disseminating security awareness, ensuring the information policy, procedures and guidelines are complied with, and responding to security events. To ensure continual improvement, the information security management system is reviewed and updated annually to maintain compliance with ISO 27001 requirements and ISO 27002 code of practice where applicable.

Information security and data protection expectations are proactively communicated to customers and suppliers as part of framework agreements, contracts, and projects.

Project managers are responsible for ensuring information security and data protection compliance in the management and development of customer projects. Information security and data protection expectations are also determined by client requirements.

In Gofore, data protection is also an integrated business-as-usual aspect of digital consulting. Gofore processes personal data in accordance with applicable legislation, including the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR).

Gofore considers the requirements set forth in the data protection legislation in all its business activities and expects and requires the same from subcontractors and other business partners. Gofore provides orientation for employees regarding guidelines for privacy and data protection.