Information Security Policy

Purpose

To define management direction for protecting information belonging to or under the custody of SOFTSOURCE Limited (Trading as Softsource vBridge). To ensure that all in scope information and information technology assets, are protected from unauthorised access, use, disclosure, disruption, modification, and destruction, whilst enabling use by Softsource vBridge personnel to support Softsource vBridge interests, customers, and services.

 

Scope

This policy applies to all Softsource vBridge held information, information systems, employees, independent contractors, and third parties who use, or have access to Softsource vBridge information, data, facilities, or systems. These people may work for Softsource vBridge or any other party. 

 

Objectives

This policy has three goals. 

  1. Protect Softsource vBridge (including customer and employee) information, data, facilities, and systems from information security threats, whether internal or external, deliberate, or accidental. 
  2. Maintain proper levels of security ability and resources to improve our information security practices, security systems and controls.
  3. Be business-enabling, meet customer information security requirements, enhance Softsource vBridge reputation, and ensure Softsource vBridge operations meet our contractual and regulatory obligations.

 

Policy

These statements define the actions we will take to support good information security. 

Senior Management Commitment and Leadership

Softsource vBridge’s senior management demonstrates leadership and commitment with respect to the Information Security Management System (ISMS) by:

  • Ensuring that this information security policy and its objectives are established and compatible with the strategic direction of Softsource vBridge.
  • Taking accountability for the effectiveness of the ISMS.
  • Actively participating in major ISMS decisions and initiatives.
  • Promoting a culture of information security awareness throughout the organisation.
We will take a well-defined approach to Information Security

We will use the viewpoints of confidentiality, integrity, and availability (CIA) to guide our information security activities: 

  • Confidentiality: ensure that only authorised persons or entities access information.
  • Integrity: ensure that information is not altered without authorisation.
  • Availability: ensure that information and services are accessible when required by authorised users.
  • We will run our security controls and operations per our regulatory and contractual obligations.
  • We will support an Information Security Management System (ISMS) that is certified and externally audited against ISO/IEC 27001:2022. 
  • We will stay committed to Information Security.
  • We will take into account applicable security requirements and results from risk assessments and risk treatments, incorporating insights from our Threat Intelligence Process, in accordance with ISO/IEC 27001:2022.
Integration of ISMS into Organisational Processes

Senior Management ensures the integration of the ISMS requirements into Softsource vBridge’s business processes by:

  • Aligning ISMS objectives with overall business objectives.
  • Incorporating information security considerations into project management methodologies.
  • Integrating ISMS controls into operational procedures and workflows.
  • Ensuring information security is a key consideration in procurement and vendor management processes.
Resource Allocation for ISMS

Senior Management commits to ensuring that the resources needed for the ISMS are available, including:

  • Human resources with appropriate skills and expertise.
  • Financial resources for security initiatives and improvements.
  • Technological resources to support security controls and monitoring.
  • Time allocation for ISMS-related activities and training.
Communication of ISMS Importance

Senior management actively communicates the importance of effective information security management and conforming to the ISMS requirements through:

  • Regular security awareness communications to all staff.
    Inclusion of information security topics in company-wide meetings
  • Leading by example in adhering to security policies and procedures.
  • Recognising and rewarding good security practices within the organisation.
Ensuring ISMS Effectiveness

Senior management ensures that the ISMS achieves its intended outcomes by:

  • Regularly reviewing ISMS performance against set objectives.
  • Addressing any identified gaps or shortcomings in the ISMS.
  • Adapting the ISMS to changes in the business environment and emerging threats.
  • Providing necessary support for continuous improvement of the ISMS.
Direction and Support for Staff

Senior management directs and supports staff to contribute to the effectiveness of the ISMS by:

  • Clearly defined roles and responsibilities related to information security.
  • Providing opportunities for staff to contribute ideas for improving security practices.
  • Ensuring adequate training and resources are available for staff to fulfill their security responsibilities.
  • Encouraging a culture where security concerns can be raised without fear of reprisal.

We will regularly evaluate the performance of the Information Security Management System (ISMS)

  • We will regularly monitor, measure, analyse, and evaluate the effectiveness of our Information Security Management System (ISMS) to ensure it meets our security objectives and supports continual improvement.
  • We will set specific metrics and key performance indicators (KPIs) related to information security.
  • We will conduct internal audits and review the ISMS performance during regular management reviews.
  • The results of these evaluations will inform decisions on necessary adjustments and improvements to our security practices.
We are all part of this policy’s compliance process.
  • The Softsource vBridge senior leadership team, all employees, contractors and third parties who have access to Softsource vBridge information, data, facilities, and systems, must follow this policy and all supporting, approved security policies, standards controls and procedures made under it. 
  • Softsource vBridge will follow its Disciplinary Policy and procedures in response to any failure to comply.
     
Regulatory Requirements

Softsource vBridge will follow all New Zealand legislation including:

  • Contract and Commercial Law Act 2017
  • Unsolicited Electronic Messages Act 2007
  • Harmful Digital Communications Act 2015
  • New Zealand Privacy Act 2020 and other acts and regulations that can be found here: Register of Regulation and Legislation

Softsource vBridge will follow key regulators affecting information security, including:

  • Government Communications Security Bureau (GCSB)
  • Department of Internal Affairs Government Chief Digital Officer
  • New Zealand Police
  • New Zealand Security Association (NZSA)

 

Ownership

The Softsource vBridge Information Security Manager keeps this document on behalf of the Senior Leadership Team. Should you have any queries or require clarification around any part of this document please email [email protected]