Information Security Policy
Purpose
In accordance with Personal Data Protection Act no. 90/2018, Sparnaður is required to ensure data security. This information security policy describes the company's emphasis on that duty. It is imperative to protect the company's personal information against all threats, internal or external, whether these threats stem from intent or negligence. This policy allows employees, customers, and others to trust Sparnaður's intention to guard the security of personal data in terms of confidentiality, accuracy, and availability.
Scope
This information security policy covers the handling and storage of all personal information under Sparnaður’s control. It includes the company's internal operations and the services Sparnaður provides to its customers on shared or dedicated equipment, in addition to all internal systems, software, and hardware owned and fully controlled by Sparnaður. It also covers premises where personal data is processed, as well as employees and contractual parties who have access to the information.
Objective
Sparnaður ehf.'s objective with this information security policy is to ensure that:
- Personal information is accurate and accessible to authorized parties.
- The confidentiality of personal data and trust is maintained in accordance with applicable laws and regulations.
- Personal information is preserved against damage, destruction, or disclosure, whether through intent or negligence.
- Personal data that passes through Sparnaður's systems reach the correct recipient, unaltered and in a timely manner.
- The risk associated with processing personal data falls within defined risk limits.
- The company is in compliance with all laws, regulations, and rules regarding the processing of personal data.
- All contracts that the company is a party to and that concern the protection of personal data are compliant.
- All deviations, breaches, or suspicions of vulnerabilities in information security are reported and investigated.
- The company continuously works toward the improvement of information security.
Ways to the Objective
Sparnaður's pathways to these stated objectives are to:
- Maintain a record of information assets containing personal data, in digital form or on paper, and categorize them based on the nature and importance of confidentiality.
- Regularly identify, through formal risk assessment, the risk to individuals of processing personal data.
- Control the risk associated with processing personal data within defined limits with an information security management system.
- Perform a privacy impact assessment if it is likely that a particular type of processing could pose a significant risk to the freedom and rights of individuals, such as when planning to use new systems that host or otherwise process personal data.
- Maintain a quality manual with procedures and processes for processing personal data.
- Ensure that all Sparnaður's employees receive regular training and education regarding the security of personal data and their responsibility.
- Ensure that all employees follow applicable laws and regulations.
- Ensure a copy of the personal data exists and is stored securely.
Responsibility
- Sparnaður’s management is responsible for this information security policy and reviews it regularly.
- The CEO of Sparnaður is responsible for implementing the policy.
- The Security Manager oversees the daily management of information security.
- The Data Protection Officer ensures staff receive proper education on data protection.
- All Sparnaður's employees must follow this information security policy.
- All Sparnaður's employees must report any security deviations and vulnerabilities regarding data security.
- Those who willingly threaten Sparnaður's data security face litigation or other appropriate legal action.
Review
This policy should be reviewed annually, and more often if necessary, to ensure its alignment with Sparnaður's objectives.
Approval
This policy was approved by Sparnaður ehf.'s board on 19.12.2019.