Updated: 2024-07-16, version: 2.5

A premium provider

At Digitalist, we are proud to be a premier provider of open technologies in the Nordic market. As a hybrid company, we balance remote and on-site work, ensuring all our operations are managed securely and efficiently.

Information security @ Digitalist

We have defined all our Asset registry and set the requirements for these assets regarding the level of Confidentiality, Traceability, Integrity and Availability; read more about this in ‣ below.

Based on this, we take appropriate measures to secure these assets.

Our objective - creating a healthy security culture

We acknowledge that the single most important factor to succeed in our work to protect our information assets is a good security culture characterized by:

• Information security is not a special interest, but a corner stone in everything we do
• The entire staff takes joint responsibility for information security
• Our security systems are under constant development
• Open communication between staff and management
• It all starts with the management and the values
• Stopping production due to safety reasons is not met with negativity

The foundation

In order for ensuring healthy information security to our information, our clients’ information and our partners’ information, three pillars must work together. These are our guiding principles to guide all activities relating to information security.

People

People are often considered the weakest link in information security. All of us need to have high information security awareness. We must all follow the security guidelines.

Process

Our policies, routines and guidelines that govern how we handle and protect our data. Our information classification scheme, incident management etc.

Technology

This involves the hardware and software solutions used to protect us and our clients’ solutions. While technology is essential, it is most effective when used in conjunction with strong processes and well-educated people.

A joint effort

Our commitment to information security is paramount, guided by the SS-ISO/IEC 27001 international standard. We handle significant amounts of sensitive data, which requires meticulous and constant attention to information security from all of us - both employees and subcontractors.

Information classification

Our approach to security revolves around the principles of Confidentiality, Integrity, Availability, and Traceability (CIAT), applicable to every information asset we handle. We understand that information security is a shared responsibility, and we are all accountable for adhering to our stringent security policies and routines.

Roles and responsibilities

Key stakeholders in our information security practices include our board, employees, clients and Information Asset Owners. Our management group leads our overall security efforts, while Information Asset Owners are responsible for ensuring the quality and secure handling of the information within their respective business units.

All of us must follow “Priority Security Responsibilities as an Employee”.

Segregation of Duties

Handling exemptions and exceptions

Rule of thumb: only the personell deemed necessary are involved in handling the information security incident.

The Information Security Incident Responsible decides who need to be involved in the incident and also who needs to be informed:

• Progress of the incident
• Outcome of the incident
• Lessons learned

If Information Security Incident Responsible has reported an incident, that handling of that incident will be delegated to Information Security Manager.

All of us follow the Manage Information Security Incidents Policy and the Report Information Security Incident Routine.

Initiator and Executor

The Initiator and Executor are never the same person. Eg: if the Information security manager initiates a security errand, he/she can never be the one executing the specific measure. Instead, it could be our IT-admin.

Risk handling

As part of our ongoing commitment to effective information security, we carry out regular risk assessments and risk management processes. All of us are responsible for identifying and managing risks, and we prioritize immediate reporting and response to any security incidents.

A dynamic policy

Our information security policy is a dynamic, living document that adapts to larger changes in our business. We conduct an annual internal audit and quarterly management reviews, ensuring our policy stays effective, relevant, and aligned with our evolving business needs.

Across all operations - continuous improvement

Our information security policy is applicable across all operations, from Sales and Marketing to Delivery, Maintenance, and Consulting. It covers all our information assets, operational activities, and internal support functions, and extends to all our offices and subsidiaries where Digitalist Open Tech AB is the majority owner. Together, we are building a secure, robust, and resilient Digitalist.

<aside> 💡 We measure our success by the number of serious security incidents caused by Digitalist, how well we manage to handle them and mitigate the damage they cause

</aside>