Information Security Policy
The masculine gender is used in this document for the sole purpose of simplifying the text.
This document is intended for employees, advisors, customers, visitors, partners and suppliers.
Version 1.1
Table of contents
- Preamble
- Policy Purpose
- Scope
- Definitions
- Guiding Principles
- Roles and Responsibilities
- Documentation and Reporting
- Compliance
- Implementation, Monitoring and Review
1.Preamble
Lü Interactive Playground (“Lü”) recognizes the importance of information technology, computer systems, equipment and devices, as well as the documents and information that it collects and generates in the context of its activities, including Confidential Information such as customer information and Personal Information collected, processed or stored in the context of its activities.
This Policy concerns the Information Assets that Lü holds or uses, regardless of their nature, location and Medium on which they are found, for their complete Life Cycle, i.e. from their collection or creation until their destruction in compliance with applicable laws and regulations.
2. Policy Purpose
The Information Security Policy (the “Policy”) aims to provide Lü with the appropriate and necessary tools to exercise sound governance with respect to Information Security. It constitutes the foreground of the organizational framework and comprises the following objectives:
- Ensuring compliance with applicable laws and regulations as well as recognized practices in Information Security risk management;
- Establishing the guidelines and guiding principles intended to effectively ensure Information Security, as well as business continuity, in particular:
- Ensuring the Integrity of the information so that it is neither destroyed nor altered, in any way whatsoever, without authorization, and by means of a Medium which provides the necessary stability and durability;
- Limiting the disclosure of Confidential Information to those authorized to have access to it. Only employees who need the confidential data for their work may access it;
- Ensuring information Availability. Allow to confirm, if necessary, the authenticity of a document or the identity of a person or a device accessing the information;
- Protecting information throughout its Life Cycle, regardless of its Medium or location.
3. Scope
This Policy applies to all employees of Lü, including, but not limited to, its personnel, third parties with whom Lü has a contractual relationship, subcontractors performing duties related to Information Assets or Information Security and any other natural or legal person who uses or has access to Lü’s Information Assets. Lü is responsible for ensuring that all such persons comply with the guiding principles set out in this Policy.
4. Definitions
Availability: The assurance that information is easily accessible to Users authorized to access it in an uninterrupted manner.
Confidentiality: The reserved nature of information, access to which is limited to only those persons authorized to consult it for the needs of the service and within the framework of their duties.
Confidentiality Incident: The intentional or inadvertent loss, theft, unauthorized access, use or disclosure of Personal Information.
Confidential Information: Information that may only be disclosed or made accessible to authorized persons and entities.
Information Asset: All information produced, collected, generated or stored in the context of Lü’s activities, all technologies used, such as information systems, equipment (workstations, applications) and devices (virtual or physical), including computer hardware and software used to store, transfer, process or remotely access assets in the context of Lü’s operations. Hardware includes servers, computers, mobile phones, voicemail, email, data, documents (paper, digital), remote access, wired and wireless networks, Removable Electronic Media, tablets, personal digital assistants, Internet, hosting sites and systems. Software includes any applications or systems running on Lü’s hardware, or externally hosted systems, and used to conduct Lü’s activities. Information Assets do not include devices owned by employees, third party personnel or subcontractors, but do include remote access tools authorized by Lü’s IT department, such as VPN and licensed cloud applications used with personal equipment.
Information Asset Classification: Classification is a process that ensures the treatment of an Information Asset according to its degree of sensitivity, its value and its criticality.
Information Security: A set of technical, organizational, legal and human resources necessary and implemented to preserve, restore and guarantee the security of Lü’s Information Assets.
Integrity: The capacity to guarantee the comprehensiveness, precision, accuracy and validity of information throughout its Life Cycle.
ISSO: The Information Systems Security Officer (or ISSO for Information Systems Security Officer) defines and develops the information security policy of their company. They are responsible for its implementation and ensure its monitoring. They protect the company from potential risks related to cyberattacks, such as spoofing, ransomware or DDoS attacks. They also carry out projects such as internal security policies at the employee level (e.g. password change every six months, etc.).
The Information Systems Security Officer must also inform staff about security issues and standards through the implementation of tools (digital charters, security guidelines) or communication activities, etc.
ITC: Information Technology Committee.
Life Cycle: All the stages that make up the life of information from its creation, through its use, its disclosure/transfer, its storage until its destruction.
Personal Information: Information that concerns a natural person and which alone or in combination with other information allows that person to be directly or indirectly identified.
Removable Electronic Media: A removable portable device that can be connected to an Information Asset, a computer or network to provide data storage (USB flash drives, SD cards, external drive).
Security Incident: A security event that compromises Lü’s business activities or the Confidentiality, Integrity or Availability of an Information Asset.
Telework: Professional activity carried out outside the employer’s offices, using IT and telecommunications tools.
User: Any person or entity, including Lü’s internal or external stakeholders, directors, officers, employees, contractors or suppliers and their representatives, external partners, guests, external organizations or authorized companies who, in any way, access, use, process or store Lü’s Information Assets.
5. Guiding Principles
- Overall Approach – Lü’s procedures, processes, measures and contractual commitments relating to Information Assets must be developed, implemented and applied in such a way as to maintain their Integrity, ensure their Availability, and preserve their Confidentiality, and in such a way as to comply with the legal and regulatory obligations to which Lü is subject.
- Inventory – Lü ensures that it inventories and classifies its Information Assets. This inventory must include physical assets (servers, workstations, network equipment, etc.) and digital assets (software, licenses, etc.) and must assign each asset to an owner. The owner of the Information Asset is responsible for protecting the asset throughout its Life Cycle.
- Classification – Lü uses an Information Asset Classification mechanism that aims to establish the level of criticality of the assets and allows each class to be assigned the required protection measures and adequate handling requirements.
- Responsibility – Each User having access to the Information Assets assumes responsibilities with regard to maintaining security and compliance with security measures, in particular with regard to preserving the Confidentiality of their identifiers, their access to the Information Assets via external networks, and the Security of Lü’s equipment and Removable Electronic Media, in addition to being accountable for their actions to the Executive Committee.
- Use for professional purposes – Lü’s Information Assets are made available to Users for professional purposes in the performance of their duties. The organization has identified rules for acceptable use of its Information Assets which are documented in the Information Security standards. These describe the acceptable use of communication equipment and systems, the protection of Personal Information, the protection of materials and equipment outside the office (including Telework).
- Access rights – Access rights to Information Assets are granted on a restricted basis to Users based on their responsibilities and tasks (principle of minimal access).
- Protection of Personal Information – Access to and use of Personal Information collected by Lü must be controlled and must only be authorized for the purposes for which Personal Information was collected or obtained, all in accordance with the Privacy Policy and applicable laws.
- Contractual commitments – Any contractual agreement entered into with a service provider relating to the Information Assets or likely to have an impact on Information Assets must contain provisions imposing obligations on the providers to meet the requirements of this Policy, or through their by-laws, must comply with this Policy in a manner consistent with the security measures enforced by Lü.
- Security measures – Lü has implemented and will implement protection, prevention, detection, assurance and correction measures according to the level of Information Asset Classification in order to ensure the Confidentiality, Integrity, and Availability of these Information Assets, as well as access control, User authentication and continuity of operations. Measures must also aim to prevent Confidentiality and Security Incidents, errors, malicious acts, as well as breaches of Confidentiality, Integrity or Availability of Information Assets. Lü periodically conducts risk and vulnerability assessments, as well as compliance checks relating to confidentiality and data security. Lü must promptly rectify any security vulnerabilities that are identified. Lü is committed to maintaining the security of the systems and services developed by Lü through regular updates. We make constant improvements and apply corrective actions (also called “patches”) to ensure the efficiency, optimal performance and security of our systems. These updates may include changes to strengthen security, fix bugs or improve functionality. Lü reserves the right to make these updates without prior notice, while ensuring that this does not interfere with the user experience and in accordance with our Privacy Policy. Lü maintains a detailed event log that records user actions within the system for security purposes. This practice allows us to identify, understand and respond appropriately to any unusual or suspicious behaviour, as well as any possible security breaches. Event logging may include information such as the date and time of actions, details of the action performed, and user ID. This information is collected and stored in accordance with our Privacy Policy and is only used to protect the security of our users and ensure the integrity of our services.
- Human resources security – Lü conducts background checks if necessary prior to hiring. The need for a background check, as well as the type of verification, is established based on the criticality level of the employee’s position. The level of criticality is established by the human resources department. Verification may be conducted at the criminal, judicial and credit profile levels. A consent form must be provided to the employee concerned for each verification.
- Monitoring – The Executive Committee may control, monitor, verify and record any access, disclosure, or use of the Information Assets made by Lü Users to ensure adequate use of the Information Assets and compliance with this Policy and security measures.
- Awareness and training – The information systems security committee must implement and enforce an Information Asset security awareness and training program. The security training and awareness program will include:
- Training on how to implement and comply with relevant company Policies;
- Promoting a culture of security awareness through periodic communications from management to Users;
- Identification of communication channels to ensure adequate and timely notification of any actual or potential information security vulnerability or risk.
- Evolution – A periodic assessment of the risks and security measures of the Information Assets must be carried to ensure their adequacy. Technological changes could have consequences on the security of the Information Assets and must be identified, assessed, approved, planned and controlled.
6. Roles and Responsibilities
Achieving Information Security objectives requires clear assignment of responsibilities at all levels of the organization and the adoption of security management processes that ensure appropriate accountability. Thus, Information Security is a collective responsibility, and each person is held accountable according to their specific role. Awareness regarding Information Security and relevant training are thus essential elements.
Responsibilities for protecting the company’s Information Assets are divided into committees, the key functions of its organization and Users.
Functions | Key Responsibilities – Information Security |
President owner |
|
Executive Director and Representative of the Information Technology Committee. |
|
Representative of the Information Technology Committee. |
|
Manager |
|
Human resources |
|
Users (permanent, temporary and contract employees) |
|
Committee | Key Responsibilities – Information Security |
Executive Committee |
|
Information Technology Committee |
|
7. Documentation and Reporting
The ITC reports annually to the Executive Committee. The reporting includes, for the relevant period:
- The number of Security Incidents that have occurred and the actions taken to deal with them;
- The number of violations of this Policy observed and the actions taken to remedy them;
- A review of training and awareness activities;
- The status of the activities planned with respect to the security roadmap for the coming year as well as the budget required to carry out this roadmap.
8. Compliance
Failure to comply with this Policy may result in breaches or violations of Lü’s Code of Conduct, Ethics and Values. Thus, the reporting process must be carried out promptly to allow Lü to address the situation. Depending on the severity of the violation, administrative or disciplinary measures may include, but are not limited to, verbal notice, reprimand, suspension or dismissal. Lü may terminate an agreement that binds it to a third party, subcontractors performing duties related to IT or Information Security and any other natural or legal person who uses or has access to Lü’s Information Assets and with whom Lü has a contractual relationship if the latter fail to comply with this Policy.
The company may transmit to any judicial authority the information collected on any User of Information Assets who has contravened this Policy and which suggests a violation of an applicable law or regulation. The offender could then face legal proceedings and sanctions.
9. Implementation, Monitoring and Review
This Policy is effective as of the date of its signature by the Owner President as indicated below. It will be reviewed every three years, or earlier if changes in the legal framework or technological developments affect its application. This Policy was last updated in August 2024. This Policy supersedes all previous versions, if any, and is subject to change at any time at Lü’s sole discretion.