Skip to main content

Information Security Policy

 

The masculine gender is used in this document for the sole purpose of simplifying the text.

This document is intended for employees, advisors, customers, visitors, partners and suppliers.

Version 1.1

 

Table of contents

  1. Preamble
  2. Policy Purpose
  3. Scope
  4. Definitions
  5. Guiding Principles
  6. Roles and Responsibilities
  7. Documentation and Reporting
  8. Compliance
  9. Implementation, Monitoring and Review

 

1.Preamble

Lü Interactive Playground (“Lü”) recognizes the importance of information technology, computer systems, equipment and devices, as well as the documents and information that it collects and generates in the context of its activities, including Confidential Information such as customer information and Personal Information collected, processed or stored in the context of its activities.

This Policy concerns the Information Assets that holds or uses, regardless of their nature, location and Medium on which they are found, for their complete Life Cycle, i.e. from their collection or creation until their destruction in compliance with applicable laws and regulations.

2. Policy Purpose

The Information Security Policy (the “Policy”) aims to provide with the appropriate and necessary tools to exercise sound governance with respect to Information Security. It constitutes the foreground of the organizational framework and comprises the following objectives:

  1. Ensuring compliance with applicable laws and regulations as well as recognized practices in Information Security risk management;
  2. Establishing the guidelines and guiding principles intended to effectively ensure Information Security, as well as business continuity, in particular:
    • Ensuring the Integrity of the information so that it is neither destroyed nor altered, in any way whatsoever, without authorization, and by means of a Medium which provides the necessary stability and durability;
    • Limiting the disclosure of Confidential Information to those authorized to have access to it. Only employees who need the confidential data for their work may access it;
    • Ensuring information Availability. Allow to confirm, if necessary, the authenticity of a document or the identity of a person or a device accessing the information;
    • Protecting information throughout its Life Cycle, regardless of its Medium or location.

3. Scope

This Policy applies to all employees of , including, but not limited to, its personnel, third parties with whom has a contractual relationship, subcontractors performing duties related to Information Assets or Information Security and any other natural or legal person who uses or has access to ’s Information Assets. is responsible for ensuring that all such persons comply with the guiding principles set out in this Policy.

 

4. Definitions

Availability: The assurance that information is easily accessible to Users authorized to access it in an uninterrupted manner.

Confidentiality: The reserved nature of information, access to which is limited to only those persons authorized to consult it for the needs of the service and within the framework of their duties.

Confidentiality Incident: The intentional or inadvertent loss, theft, unauthorized access, use or disclosure of Personal Information.

Confidential Information: Information that may only be disclosed or made accessible to authorized persons and entities.

Information Asset: All information produced, collected, generated or stored in the context of ’s activities, all technologies used, such as information systems, equipment (workstations, applications) and devices (virtual or physical), including computer hardware and software used to store, transfer, process or remotely access assets in the context of ’s operations. Hardware includes servers, computers, mobile phones, voicemail, email, data, documents (paper, digital), remote access, wired and wireless networks, Removable Electronic Media, tablets, personal digital assistants, Internet, hosting sites and systems. Software includes any applications or systems running on ’s hardware, or externally hosted systems, and used to conduct ’s activities. Information Assets do not include devices owned by employees, third party personnel or subcontractors, but do include remote access tools authorized by ’s IT department, such as VPN and licensed cloud applications used with personal equipment.

Information Asset Classification: Classification is a process that ensures the treatment of an Information Asset according to its degree of sensitivity, its value and its criticality.

Information Security: A set of technical, organizational, legal and human resources necessary and implemented to preserve, restore and guarantee the security of ’s Information Assets.

Integrity: The capacity to guarantee the comprehensiveness, precision, accuracy and validity of information throughout its Life Cycle.

ISSO: The Information Systems Security Officer (or ISSO for Information Systems Security Officer) defines and develops the information security policy of their company. They are responsible for its implementation and ensure its monitoring. They protect the company from potential risks related to cyberattacks, such as spoofing, ransomware or DDoS attacks. They also carry out projects such as internal security policies at the employee level (e.g. password change every six months, etc.).

The Information Systems Security Officer must also inform staff about security issues and standards through the implementation of tools (digital charters, security guidelines) or communication activities, etc.

ITC: Information Technology Committee.

Life Cycle: All the stages that make up the life of information from its creation, through its use, its disclosure/transfer, its storage until its destruction.

Personal Information: Information that concerns a natural person and which alone or in combination with other information allows that person to be directly or indirectly identified.

Removable Electronic Media: A removable portable device that can be connected to an Information Asset, a computer or network to provide data storage (USB flash drives, SD cards, external drive).

Security Incident: A security event that compromises ’s business activities or the Confidentiality, Integrity or Availability of an Information Asset.

Telework: Professional activity carried out outside the employer’s offices, using IT and telecommunications tools.

User: Any person or entity, including ’s internal or external stakeholders, directors, officers, employees, contractors or suppliers and their representatives, external partners, guests, external organizations or authorized companies who, in any way, access, use, process or store ’s Information Assets.

 

5. Guiding Principles

  1. Overall Approach ’s procedures, processes, measures and contractual commitments relating to Information Assets must be developed, implemented and applied in such a way as to maintain their Integrity, ensure their Availability, and preserve their Confidentiality, and in such a way as to comply with the legal and regulatory obligations to which is subject.
  2. Inventory ensures that it inventories and classifies its Information Assets. This inventory must include physical assets (servers, workstations, network equipment, etc.) and digital assets (software, licenses, etc.) and must assign each asset to an owner. The owner of the Information Asset is responsible for protecting the asset throughout its Life Cycle.
  3. Classification uses an Information Asset Classification mechanism that aims to establish the level of criticality of the assets and allows each class to be assigned the required protection measures and adequate handling requirements.
  4. Responsibility – Each User having access to the Information Assets assumes responsibilities with regard to maintaining security and compliance with security measures, in particular with regard to preserving the Confidentiality of their identifiers, their access to the Information Assets via external networks, and the Security of Lü’s equipment and Removable Electronic Media, in addition to being accountable for their actions to the Executive Committee.
  5. Use for professional purposes’s Information Assets are made available to Users for professional purposes in the performance of their duties. The organization has identified rules for acceptable use of its Information Assets which are documented in the Information Security standards. These describe the acceptable use of communication equipment and systems, the protection of Personal Information, the protection of materials and equipment outside the office (including Telework).
  6. Access rights – Access rights to Information Assets are granted on a restricted basis to Users based on their responsibilities and tasks (principle of minimal access).
  7. Protection of Personal Information – Access to and use of Personal Information collected by must be controlled and must only be authorized for the purposes for which Personal Information was collected or obtained, all in accordance with the Privacy Policy and applicable laws.
  8. Contractual commitments – Any contractual agreement entered into with a service provider relating to the Information Assets or likely to have an impact on Information Assets must contain provisions imposing obligations on the providers to meet the requirements of this Policy, or through their by-laws, must comply with this Policy in a manner consistent with the security measures enforced by .
  9. Security measures has implemented and will implement protection, prevention, detection, assurance and correction measures according to the level of Information Asset Classification in order to ensure the Confidentiality, Integrity, and Availability of these Information Assets, as well as access control, User authentication and continuity of operations. Measures must also aim to prevent Confidentiality and Security Incidents, errors, malicious acts, as well as breaches of Confidentiality, Integrity or Availability of Information Assets. periodically conducts risk and vulnerability assessments, as well as compliance checks relating to confidentiality and data security. must promptly rectify any security vulnerabilities that are identified. is committed to maintaining the security of the systems and services developed by through regular updates. We make constant improvements and apply corrective actions (also called “patches”) to ensure the efficiency, optimal performance and security of our systems. These updates may include changes to strengthen security, fix bugs or improve functionality. reserves the right to make these updates without prior notice, while ensuring that this does not interfere with the user experience and in accordance with our Privacy Policy. maintains a detailed event log that records user actions within the system for security purposes. This practice allows us to identify, understand and respond appropriately to any unusual or suspicious behaviour, as well as any possible security breaches. Event logging may include information such as the date and time of actions, details of the action performed, and user ID. This information is collected and stored in accordance with our Privacy Policy and is only used to protect the security of our users and ensure the integrity of our services.
  10. Human resources security conducts background checks if necessary prior to hiring. The need for a background check, as well as the type of verification, is established based on the criticality level of the employee’s position. The level of criticality is established by the human resources department. Verification may be conducted at the criminal, judicial and credit profile levels. A consent form must be provided to the employee concerned for each verification.
  11. Monitoring – The Executive Committee may control, monitor, verify and record any access, disclosure, or use of the Information Assets made by Users to ensure adequate use of the Information Assets and compliance with this Policy and security measures.
  12. Awareness and training – The information systems security committee must implement and enforce an Information Asset security awareness and training program. The security training and awareness program will include:
    1. Training on how to implement and comply with relevant company Policies;
    2. Promoting a culture of security awareness through periodic communications from management to Users;
    3. Identification of communication channels to ensure adequate and timely notification of any actual or potential information security vulnerability or risk.
  13. Evolution – A periodic assessment of the risks and security measures of the Information Assets must be carried to ensure their adequacy. Technological changes could have consequences on the security of the Information Assets and must be identified, assessed, approved, planned and controlled.

 

6. Roles and Responsibilities

Achieving Information Security objectives requires clear assignment of responsibilities at all levels of the organization and the adoption of security management processes that ensure appropriate accountability. Thus, Information Security is a collective responsibility, and each person is held accountable according to their specific role. Awareness regarding Information Security and relevant training are thus essential elements.

Responsibilities for protecting the company’s Information Assets are divided into committees, the key functions of its organization and Users.

Functions Key Responsibilities – Information Security
President owner
  • Acts as the Information Security Officer for the organization;
Executive Director and Representative of the Information Technology Committee.
  • Ensures that risk analyses are carried out and that significant risks related to Information Security are included in the risk register;
  • Carries out the Information Asset Classification according to the prescribed procedure;
  • Approves the actions to be taken regarding Information Security and authorizes the corresponding budgets;
  • Assesses cybersecurity assurance needs;
  • Ensures that all standards and regulations to which the organization is subject are complied with, including the protection of Personal Information;
  • Appoints a person to act as the Information Systems Security Officer (“ISSO”);
  • Responsible for the application and tests the business continuity plan;
  • Approves the Information Security Policy and ensures its implementation;
  • Approves the roles and responsibilities of the Information Technology Committee and appoints its members;
  • Ensures that an anonymous reporting mechanism is made available to Users regarding compliance with this Policy;
  • Maintains the list of legal and regulatory requirements for the protection of Information Assets, including the protection of Personal Information;
  • Defines, in collaboration with the external legal department, the contractual clauses to reflect the security measures required of third parties and ensure compliance with this Policy;
  • Communicates with the appropriate regulatory authorities any Incident relating to Personal Information or any Security Incident, in compliance with the applicable laws.
Representative of the Information Technology Committee.
  • Ensures that there are risk analyses related to Information Security according to the prescribed methodology and informs the Executive Director in a timely manner of significant risks for the organization;
  • Selects and recommends appropriate security measures to mitigate risks related to Information Security and ensures their implementation;
  • Prepares and/or reviews annually an Information Security master plan in order to achieve the objectives of the Policy, and communicates it to stakeholders;
  • Proposes to the Executive Director the human, financial and material resources to maintain and improve Information Security;
  • Ensures that employees have the Information Security skills to carry out the tasks assigned to them;
  • Determines the level of criticality of positions in terms of information protection;
  • Ensures the control, monitoring, verification and recording of any access, disclosure, or use of Information Assets;
  • Ensures that the risks that could arise from an activity entrusted to a third party are identified, monitors the risk and includes the appropriate clauses in the contract;
  • Ensures the conception of the IT recovery plan;
  • Sets up a plan for managing access to Information Assets according to the roles and responsibilities of the Users;
  • Ensures that the handling and destruction of assets are performed adequately.
Manager
  • Ensures that employees under the manager’s governance use Information Assets adequately and comply with to the Policy;
  • Raises awareness among team members about the security measures and controls as well as the protections applicable to the use of Personal Information;
  • Works closely with the ITC and provides the necessary support for the exercise of employees’ responsibilities;
  • Ensures, if necessary, that clauses on security and the protection of information are included in employee contracts and agreements with partners.
Human resources
  • Communicate the Policy when hiring new employees;
  • Perform security checks on employees, contractors and third parties, according to the prescribed procedure, upon hiring and during employment according to the level of criticality of the position;
  • Communicate any movement of personnel, arrival or departure of an employee, without delay, to the IRC for the purpose of access management.
Users (permanent, temporary and contract employees)
  • Know and comply with this Policy;
  • Apply the security measures necessary to protect the Information Assets, according to the prescribed procedures;
  • Report, according to the prescribed procedure, any event that could threaten the protection of the company’s Information Assets;
  • Report to their immediate superior or through the anonymous reporting mechanism any situation that constitutes a violation of this Policy.

 

Committee Key Responsibilities – Information Security
Executive Committee
  • Learns about trends pertaining to Information Security;
  • Makes recommendations to the Executive Director regarding technological orientations, Information Security and the protection of Personal Information;
  • Establishes strategic priorities pertaining to Information Security;
  • Ensures follow-up on the resolution of major Confidentiality and/or Security Incidents and the implementation of action plans aimed at resolving non-compliance.
Information Technology Committee
  • Assesses IT work requests, including change requests, and approves them;
  • Approves any technological change that could cause a risk related to Information Security, or security measures in place;
  • Ensures follow-up on the resolution of Confidentiality and/or Security Incidents and the implementation of action plans aimed at resolving non-compliance;
  • Reviews the results of vulnerability analyses and propose the required actions.

 

7. Documentation and Reporting

The ITC reports annually to the Executive Committee. The reporting includes, for the relevant period:

  • The number of Security Incidents that have occurred and the actions taken to deal with them;
  • The number of violations of this Policy observed and the actions taken to remedy them;
  • A review of training and awareness activities;
  • The status of the activities planned with respect to the security roadmap for the coming year as well as the budget required to carry out this roadmap.

 

8. Compliance

Failure to comply with this Policy may result in breaches or violations of ’s Code of Conduct, Ethics and Values. Thus, the reporting process must be carried out promptly to allow to address the situation. Depending on the severity of the violation, administrative or disciplinary measures may include, but are not limited to, verbal notice, reprimand, suspension or dismissal. may terminate an agreement that binds it to a third party, subcontractors performing duties related to IT or Information Security and any other natural or legal person who uses or has access to ’s Information Assets and with whom has a contractual relationship if the latter fail to comply with this Policy.

The company may transmit to any judicial authority the information collected on any User of Information Assets who has contravened this Policy and which suggests a violation of an applicable law or regulation. The offender could then face legal proceedings and sanctions.

 

9. Implementation, Monitoring and Review

This Policy is effective as of the date of its signature by the Owner President as indicated below. It will be reviewed every three years, or earlier if changes in the legal framework or technological developments affect its application. This Policy was last updated in August 2024. This Policy supersedes all previous versions, if any, and is subject to change at any time at ’s sole discretion.