Overview
This document outlines Parsable, Inc. (Parsable)’s information security requirements for all employees. Parsable’s management has committed to these security policies to protect information utilized by Parsable in attaining its business goals. Parsable has created this set of security policies to communicate the requirements for secure use of company resources and operations of our SaaS product offering, and represents Parable’s strategy for how it will implement Information Security principles and technologies.
Purpose
The purpose of this policy is to establish a security framework designed to protect the confidentiality, integrity, and availability of both Parsable and customer information assets from accidental or intentional unauthorized access, modification, damage, or deletion in order to aid Parsable in attaining its business goals. This document defines high level information security protections within the organization, including definitions, roles, responsibilities, procedures, and performance including metrics and reporting mechanisms. Standards and procedures related to this policy are published separately and updated as required.
Scope
This policy applies to all users of information systems and data within the organization to include both employees and third-party contractors as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). The requirements apply to Parsable’s enterprise IT systems and to SaaS products unless explicitly stated otherwise.
Definitions
The following definitions apply to this policy and all sub policies.
Confidentiality: a characteristic of information or information systems in which such information or systems are only available to authorized entities.
Integrity: a characteristic of information or information systems in which such information or systems may only be changed by authorized entities, and in an approved manner.
Availability: a characteristic of information or information systems in which such information or systems can be accessed by authorized entities whenever needed.
Information Security: the act of preserving the confidentiality, integrity, and, availability of information and information systems.
Standard: Expected user behavior when interacting with information assets, based on the security designation and information handling requirements.
Procedure: Technical specifications, methodologies and specific instruction for data (format, structuring, tagging, storage, transmission, manipulation, reporting), and use of data
Objectives
The organization’s objectives for information security are in line with the organization’s business goals, strategy, and plans. The objectives of this security policy are to accomplish the following objectives:
- To maintain for the confidentiality and privacy of the information assets controlled and processed by Parsable
- To provide protection for the integrity of the the information assets controlled and processed by Parsable
- To ensure the availability of internal enterprise IT systems and external SaaS product offering
- To comply with all applicable legislative, regulatory, and contractual requirements concerning information security.
The security policy indicates executive management’s commitment to maintaining a secure enterprise IT infrastructure and SaaS product offerings. All objectives must be reviewed at least once per year. The company will measure the fulfillment of all objectives. The measurement will be performed at least once per year. The results must be analyzed, evaluated, and reported to the management team.
Roles
Chief Information Security Officer
This policy requires the appointment of a Chief Information Security Officer (CISO), who manages the information security program, which includes procedures and policies designed to lower the operational risk to the business by protecting enterprise communications, information systems and assets from both internal and external threats.
The general duties of the CISO include:
- Keeping on top of the latest developments on the evolving information security landscape.
- Guiding information security policies, processes, governance, and compliance.
- Approving exceptions to these policies on a case-by-case basis.
- Coordinating a formal risk assessments, reviews, and reports related to key performance indicators and key risk indicators
- Managing, monitoring, and continually improving data protection measures.
- Driving security awareness within the Parsable organization.
- Liaising and building trust with the customers in relation to information security matters
The CISO doesn’t necessarily need to be an independent position but can be a designation fulfilled by an existing member of the executive or operational management team as long as that employee has the authority to hold a management role, and the resources and abilities to commit to the position.
Chief Privacy Officer
This policy requires the appointment of a Chief Privacy Officer, who directs Parsable’s privacy strategy, steering your business through the complex array of different data protection regulations that affect your organization.
The general duties of the CPO include:
- Keeping on top of the latest developments on the evolving data privacy landscape.
- Guiding privacy policies, processes, governance, and compliance.
- Raising awareness, arranging staff training and promoting best privacy practices.
- Driving privacy awareness within your organization.
- Liaising with regulatory authorities and members of the media in relation to privacy matters.
- Building trust with privacy-conscious consumers.
More specific guidance on the responsibilities of this role can be found within individual information security policies.
The Chief Privacy Officer doesn’t necessarily need to be an independent position but can be a designation fulfilled by an existing member of the executive or operational management team as long as that employee has the authority to hold a management role, and the resources and abilities to commit to the position.
InfoSec Team
This policy calls for the formation of the InfoSec team drawn from members of the technology department.
- CISO
- InfoSec Risk and Governance Technical Program Manager
- IT Engineers
- Core Engineers
This team is responsible for enforcing compliance, responding to incidents, and approving exceptions.
Information Security & Privacy Steering Committee
This policy calls for the formation of the Information Security and Privacy team that represents various functions of the business critical to the protection of Parsable’s information assets.
This Team will always include the CISO and the CPO and representatives from the following departments:
- Technology
- People
- Finance / Operations
- Customer Support
These team members should be appointed by the department for a term of one year and may more than one term. In the event of a team member departure, the department should appoint another team member to fulfill the duty. This team should select a leader annually that is not the CISO or CPO to manage the operational cadence until such a time as there is a full time employee dedicated to the task.
This team is responsible for meeting on a semi-annual basis to assess current risks and review key performance metrics.
Business Owner
Each corporate information system will be owned by a single business owner that has budgetary and system governance responsibilities. This owner may delegate the administration of some or part of the system to IT, but The Business Owner is accountable for the application of this and related policies to systems, data, and other information resources managed by the .
Departmental Data Stewards
A department may appoint one or more Data Stewards who are responsible for the application of this and related policies to systems, data, and other information resources under their care or control.
System Administrators
Systems Administrators are responsible for the application of this and related policies to the systems, information, and other information resources in their care at the direction of the Data Stewards.
Sub Policies
Parsable maintains separate sub policies in separate sub documents for the specific security topics:
- Acceptable Encryption Policy
- Acceptable Use Policy
- Data Classification Policy
- Password Policy
- Access Control Policy
- Logging Policy
- Monitoring Policy
- Security Awareness & Training Policy
- Physical Security Policy
- Removable Media
- Backup & Recovery Policy
- Record Retention & Disposal Policy
- Third Party Vendor Management
- Business Continuity / Disaster Recovery
- Vulnerability Management
- Risk Management Policy
- Change Management Policy
- Incident Response Policy
- Hiring Procedure
- Termination Procedure
- Privacy Compliance Procedures
- Remote Work Policy
Enforcement
This set of policies will be enforced by the Information Security Team and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, Parable may report such activities to the applicable authorities.
Third party vendors found to have violated this policy may incur financial liabilities, in addition to termination of contract.
Policy exemptions will be permitted only if approved in advance and in writing by the CISO.