Internal Organisation and Policies
As a technology supplier, Juristic seeks to ensure that data and information are protected in the best possible way. This is also the case in relation to the required responsibility roles as recommended by ISO 27001. To comply with these standards, a supplier should have allocated all responsibilities for information security in relation to the performance of a contract entered into. ISO 27001 defines four primary roles: (a) top management; (b) an information security coordinator; (c) an information security committee; and (d) a system owner.
Although Juristic is a start-up, and as a result there is a natural staffing limitation, responsibilities have been allocated as appropriately as possible.
The top management consists of Christian Hjortshøj (CEO) and Kean Ottesen (CTO). The responsibilities of the top management are - for IT security purposes - to set the security level for Juristic and to establish and deploy an Information Security Management System (ISMS) and ensure that the employees are qualified to work securely with the organisation. The latter is done both through training at start-up and a general principle across tools and vendors of "least privileges", which means that employee accesses are shielded so that they do not have access to more than they need.
Due to the size of the organisation, Juristic does not yet have a separate security coordinator or information security committee, so these roles also lie with senior management.
A system owner has operational responsibility for ensuring that systems work and that customers have access to the information they need, when they need it (availability). Similarly, it is the responsibility of the system owner to ensure the accuracy and completeness of information (integrity). Sensitive information must be protected from unauthorised access (confidentiality)
Juristic has adopted a procedure for rights and responsibilities alignment in the context of internal re-organisations, changes of employment and terminations.Juristic's security policies are - to the degree possible - modeled after the requirements in ISO 27001 and ENISA. Juristic plans to begin the formal certification process within a short time. Please contact CEO, Christian Hjortshøj (ch@juristic.io) for further information if this is a requirement for your organisation.
As mentioned above, Juristic as an organisation applies the principle of "least privileges", which obviously has an impact on access management. Juristic employees have access only to the information and personal data they are specifically authorized to use in relation to the performance of the agreement. Logs of access and access history may be provided at the customer's request on a regular basis so that this principle can be verified.
Juristic have implemented the following policies and procedures that are available as needed and by request:
- Antivirus and Malware Policy
- Business Continuity Plan
- Information Security Incident Procedure
- Information Security Policy
- Patch Management Policy