Information Security Policy
For employees, consultants, customers, visitors, partners, and suppliers
Version 1.0
Table of contents
Foreword
Objectives of the Policy
Scope of application
Definitions
Guiding Principles
Roles and Responsibilities
Documentation and reporting
Compliance
Implementation, monitoring, and revision
Foreword
Lü Interactive Playground (“Lü”) recognizes the importance of information technology; computer systems, equipment, and devices; and the documents and Information it collects and generates in the course of its business, including the Confidential Information (such as Customer Information and Personal Information) collected, processed, or stored in the course of its business.
The Policy applies to all Information Assets held or used by Lü, regardless of their nature, location, or Storage Medium, and throughout their entire Life Cycle, i.e., from collection or creation to destruction in compliance with applicable laws and regulations.
Objectives of the Policy
The purpose of the Information Security Policy (the “Policy”) is to give Lü the relevant tools it needs to exercise sound governance with regard to Information Security. It constitutes the foreground of the organizational framework and aims to:
Ensure compliance with applicable laws and regulations, as well as with recognized practices in Information Security risk management
Set out the guidelines and principles for effectively ensuring Information Security and business continuity, including:
Ensuring the Integrity of the Information by preventing it from being destroyed or altered in any way whatsoever without authorization and storing it on a Medium that provides the necessary stability and durability
Restricting disclosure of Confidential Information to those who are authorized to receive it
Maintaining the Availability of the Information
Confirming, if necessary, the authenticity of a document or the identity of the person or device accessing the Information
Protect information throughout its Life Cycle, regardless of Medium or location
Scope of application
This Policy applies to all Lü employees, including but not limited to its personnel, third parties with whom Lü has a contractual relationship, subcontractors performing duties related to Information Assets or Information Security, and any other natural or legal person who uses or has access to Lü’s Information Assets. Lü is responsible for ensuring that all such persons comply with the guiding principles set out in this Policy.
Definitions
Information Asset: All information produced, collected, generated, or stored as part of Lü’s activities, as well as all technologies used, such as information systems, equipment (workstations, applications), and devices (virtual or physical), including computer hardware and software used to store, transfer, process, or remotely access assets as part of Lü’s operations. “Hardware” includes servers, computers, cell phones, voicemail, email, data, digital and paper documents, remote access, wired and wireless networks, Removable Electronic Media, tablets, PDAs, the internet, hosting sites, and systems. “Software” includes any applications or systems running on Lü’s hardware, or externally hosted systems used to carry out Lü’s business. “Information Assets” do not include devices belonging to employees, third-party personnel, or subcontractors, but do include remote access tools authorized by Lü’s IT department, such as VPNs and licensed cloud applications used with personal equipment.
Classification of Information Assets: Classification is a process that ensures that Information Assets are treated appropriately for their value, criticality, and sensitivity.
Confidentiality: The restricted nature of Information, access to which is limited to the persons authorized to consult it for the needs of the service and within the scope of their duties.
Life Cycle: All the stages in the life of a piece of Information, from its creation to its use, communication and transfer, storage, and destruction.
Availability: The assurance that Information is easily and uninterruptedly accessible to the Users authorized to access it.
Security Groups: Access to Lü systems is granted on the basis of predefined roles. Each role contains a specific access profile, designed to meet the Users’ needs and allow them to perform the activities attributable to their positions.
Phishing: A fraud technique based on identity theft, which consists of sending a mass message pretending to be a well-known organization in order to trick recipients into providing confidential Information without their knowledge.
Confidentiality Incident: Loss, theft, unauthorized access (intentional or not), use, or disclosure of Personal Information.
Security Incident: A Security event that compromises Lü’s business operations or the Confidentiality, Integrity, or Availability of an Information Asset.
Confidential Information: Information that can only be communicated or made accessible to authorized persons and entities.
Integrity: Ability to guarantee the completeness, precision, accuracy, and validity of Information throughout its Life Cycle.
Personal Information: Information about a natural person which, alone or in combination with other information, allows that person to be identified directly or indirectly.
Information Security: All the technical, organizational, legal, and human resources required and put in place to preserve, restore, and guarantee the Security of Lü’s Information Assets.
Removable Electronic Media: Portable, removable device (such as a USB stick, SD card, or external hard drive) that can be connected to an Information Asset, computer, or network to store data.
Telework: Professional activity done outside the employer’s offices, using computer and telecommunications tools.
User: Any person or entity, including Lü’s internal or external stakeholders, directors, officers, employees, contractors, or suppliers and their representatives, external partners, invitees, external organizations, and authorized businesses that in any way access, use, process, or maintain Lü’s Information Assets.
Guiding Principles
Global approach – Lü’s procedures, processes, measures, and contractual commitments relating to Information Assets must be developed, implemented, and applied in a way that maintains those Assets’ Integrity, ensures their Availability, and preserves their Confidentiality, while complying with the legal and regulatory obligations to which Lü is subject.
Inventory – Lü makes sure to inventory and classify its Information Assets. This inventory needs to include both physical assets (servers, workstations, network equipment, etc.) and logical assets (software, licenses, etc.), and assign each asset to an owner. The owner of the Information Asset is responsible for protecting the asset throughout its Life Cycle.
Classification – Lü uses an Information Asset Classification mechanism to establish the criticality of assets and assign the necessary protection measures and handling requirements to each class.
Responsibility – Every User with access to the Information Assets assumes responsibility for maintaining Security and complying with security measures, in particular with regard to maintaining the confidentiality of their login information, their access to the Information Assets from external networks, and the Security of Lü’s equipment and Removable Electronic Media. Every User answers to the Management Committee and is responsible for their actions.
Professional use – Lü’s Information Assets are made available to Users for professional use in the performance of their duties. The organization has identified rules for the acceptable use of its Information Assets, which are documented in the Information Security standards. These describe the acceptable use of communications equipment and systems, the protection of Personal Information, and the protection of materials and equipment outside the office (including when Teleworking).
Access – Access to Information Assets is limited based on Users’ responsibilities and tasks (principle of least privilege).
Protection of Personal Information – Access to and use of the Personal Information collected by Lü must be controlled and may be authorized only for the purposes for which it was collected or obtained, in accordance with the Privacy Policy and applicable legislation.
Contractual commitments – Any contractual agreement entered into with a service provider that relates to Information Assets or that is likely have an impact on Information Assets must contain stipulations requiring providers to comply with this Policy. These stipulations must be consistent with the security measures applied by Lü.
Security Measures – Lü has implemented and will implement protection, prevention, detection, assurance, and correction measures based on the level of Classification of Information Assets, with the aim of ensuring the Confidentiality, Integrity, and Availability of these Information Assets, as well as access control, User authentication, and business continuity. The measures must also aim to prevent Confidentiality and Security Incidents, errors, malicious acts, and breaches of Confidentiality, Integrity, or Availability of Information Assets.
Lü performs periodic risk/vulnerability assessments and data privacy and security compliance audits. Lü will remediate any identified security vulnerabilities in a timely manner.
Human resources Security – Lü must conduct background checks on all employees prior to hiring, and during employment if required, in accordance with the applicable laws and regulations. Criminal, legal, and credit checks may be conducted. The necessity of a background check and the type required are determined by the criticality of the employee’s position, which in turn is determined by Human Resources management.
A consent form must be provided to employees when their backgrounds are being checked.
Monitoring – The Management Committee may control, monitor, verify, and record Lü Users’ access to or communication or use of Information Assets in order to ensure proper use of the Information Assets, as well as compliance with this Policy and Security measures.
Awareness and training – The Information Systems Security Manager must implement and enforce an Information Asset Security awareness and training program. The Security awareness and training program includes:
a) Training on how to implement and comply with relevant company Policies
b) Promotion of a culture of Security awareness through regular communications between management and Users
c) Identification of communication channels to ensure sufficient and timely notification of any actual or potential vulnerabilities or risks to Information Security
Evolution – The risks and Security measures for Information Assets must be evaluated regularly to ensure that they are adequate. Technological changes could have consequences for the Security of Information Assets, and as such they need to be identified, assessed, approved, planned, and controlled.
Roles and Responsibilities
Achieving the Information Security objectives requires a clear assignment of responsibilities at all levels of the organization, as well as the adoption of Security management processes that ensure appropriate accountability. This means that Information Security is a collective responsibility, with individual responsibility being based on roles. As such, Information Security awareness and training are essential.
Responsibility for protecting the company’s Information Assets lies with the committees, the main roles in the organization, and the Users.
Key roles
|
Role |
Main Information Security responsibilities |
|
Vice-President, Operations and Confidentiality Officer |
Ensures that risk analyses are carried out and that significant Information Security risks are included in the risk log
Classifies Information Assets, following the established procedure Approves Information Security actions and authorizes the corresponding budgets Assesses cybersecurity insurance needs Ensures compliance with all standards and regulations to which the organization is subject, including those relating to the protection of Personal Information Appoints an Information Systems Security Manager (ISSM) Oversees the implementation and testing of the business continuity plan Approves the Information Security Policy and ensures its implementation Approves the roles and responsibilities of the Information Security Governance Committee and appoints its members Ensures Users have access to a whistleblowing mechanism regarding this Policy Maintains a list of legal and regulatory requirements for the protection of Information Assets, including confidentiality Collaborates with the external legal department to write contractual clauses to reflect third parties’ requirements to comply with this Policy and relevant Security measures Informs the relevant regulatory authorities of any Confidentiality or Security Incidents in accordance with the applicable regulations |
| Director of Information Technology | Acts as Information Security Manager for the organization
Uses established methods to carry out Information Security risk analyses and informs the VP Operations of significant risks to the organization in a timely manner Selects and recommends appropriate Security measures to mitigate Information Security risks, and oversees their implementation Annually prepares and/or revises an Information Security master plan for achieving the objectives of the Policy, and communicates it to stakeholders Makes suggestions to the VP Operations regarding the human, financial, and material resources needed to maintain and improve Information Security Ensures that employees have the Information Security skills they need to do their work Determines the Information Security criticality of each position Controls, monitors, verifies, and records all access to and communication and use of Information Assets Identifies the risks that may arise from an activity entrusted to a third party, monitors those risks, and includes appropriate clauses in the contract Designs and tests the IT contingency plan Implements a plan for managing access to Information Assets based on Users’ roles and responsibilities Ensures that assets are handled and destroyed correctly |
|
Manager |
Informs new employees of the Policy upon hiring
Follows the established procedure to perform Security checks on employees, contractors, and third parties upon hiring and during employment, depending on the criticality of the position Communicates all personnel movements and employee arrivals/departures to the ISSM at once for access management purposes Ensures that employees under their responsibility use Information Assets correctly and follow the Policy Makes team members aware of the protections and the Security controls and measures related to the use of Personal Information Works closely with the ISSM and provides the necessary support for employees to perform their duties Ensures that Information Security and Protection clauses are included in employee contracts and agreements with partners |
|
User (permanent, temporary, and contract employees) |
Reads and abides by this Policy
Applies the security measures required to protect Information Assets, in accordance with established procedures Attends the mandatory Information Security and Confidentiality awareness and training sessions offered by the company Uses the established procedure to report any events that could threaten the protection of the company’s Information Assets Reports breaches of this Policy to their immediate superior or through the whistleblowing mechanism |
Committees
|
Committee |
Main Information Security responsibilities |
|
Management Committee |
Learns about Information Security trends
Makes recommendations to the VP Operations regarding technological orientations, Information Security, and the protection of Personal Information Sets strategic priorities for Information Security Follows up on the resolution of major Confidentiality/Security Incidents and the implementation of action plans to resolve non-compliance |
|
Tactical Security Committee |
Evaluates and approves IT work requests, including change requests
Approves any technological changes that could pose a risk to Information Security or to existing Security measures Follows up on the resolution of Confidentiality/Security Incidents and the implementation of action plans to resolve non-compliance Reviews the results of vulnerability scans and proposes necessary actions |
Documentation and reporting
The ISSM reports annually to the Management Committee. The accountability report indicates the following for the period:
The number of Security Incidents that have occurred and the actions taken to address them
The number of violations of this Policy and the actions taken to remedy them
An assessment of training and awareness-raising activities
The status of activities planned in the Security roadmap and the Security roadmap for the coming year, as well as the budget required to implement it
Compliance
Failure to comply with this Policy may result in breaches or violations of Lü’s Code of Conduct, Ethics, and Values. As such, the whistleblowing process must be carried out quickly to enable Lü to take charge of the situation. Depending on the severity of the violation, administrative or disciplinary measures may include, but are not limited to, verbal notice, reprimand, suspension, or dismissal. Lü may terminate agreements binding it to third parties, subcontractors performing duties related to Information Assets or Information Security, or any other natural or legal person who uses or has access to Lü’s Information Assets and with whom Lü has a contractual relationship if they fail to comply with the Policy.
The company may submit Information on any User of an Information Asset to a judicial authority if the User has contravened the Policy and there is reason to believe that a law or regulation in force has been breached. The offender could face legal action and prosecution as a result.
Implementation, monitoring, and revision
This Policy takes effect on the date it is signed by the VP Operations indicated below. It will be reviewed every three years, or sooner if legal changes or technological developments affect its application. This Policy was last updated in September 2023. This Policy supersedes all prior versions, if any, and is subject to change at any time at Lü’s sole discretion.
10.Document history
|
Version |
Application |
Adoption date |
Description |
Manager’s name and position |
|
1.0 |
Entry into force |
2023-08-23 |
New policy |
VG |
|
|
