Information Security Policy
To maintain a sterling business reputation and achieve competitiveness by ensuring the protection of information assets of the Voximplant group of companies (includes Zingaya Inc and its subsidiaries Zingaya LLC and Fastcom LLC) (hereinafter – the Group), its clients and partners, including confidential information, commercial and other types of secrets, as well as personal data of the customers and the employees of the Group.
To create and maintain conditions under which information security (hereinafter - IS) risks are constantly monitored and are at an acceptable level, to protect confidential information and the continuity of the Group's business processes.
The management and all employees consider ensuring a high level of information security of the Group's assets as one of their most important goals.
SCOPE OF THE IS MANAGEMENT SYSTEM
The scope of the IS management system (ISMS) shall be established by order of the Group's Technical Director. The central and governing document establishing general requirements for the core processes of the ISMS shall be "Guidelines for the Information Security Management System".
WAYS TO ACHIEVE GOALS
For the effective implementation of IS processes, the Group shall implement an information security management system (hereinafter – the ISMS) that complies with the requirements of the international standard ISO/IEC 27001: 2013 "Information technology -- Security techniques -- Information security management systems - Requirements" (hereinafter - ISO/IEC 27001: 2013). These goals shall be achieved through the implementation of the following activities:
- asset inventory and regular assessment of IS risks;
- application of reasonable, cost-effective organizational and technical measures to ensure IS;
- identification of applicable requirements of the effective legislation and regulatory authorities in the IS domain, and achievement of compliance with these requirements;
- establishing the responsibility of employees for IS maintenance, training and raising their awareness of IS;
- regular assessment of ISMS compliance with the applicable internal and external requirements through internal ISMS audits, monitoring the effectiveness of the ISMS processes, and analysis of the ISMS by the Group's management;
- implementation of remedial actions in case of deviations or inconsistencies in ISMS operation with internal and external requirements;
- confirmation of compliance of the Group's ISMS with the requirements of the international standard ISO/IEC 27001: 2013.
The Group shall seek guidance from the following principles in the IS domain:
- Legality. In the process of ensuring IS, the requirements of the applicable legislation, as well as the current regulatory requirements of state authorities, including international authorities, shall be fulfilled.
- Adequate treatment of existing threats and economic feasibility. The applicable organizational and technical protection measures shall be selected on the basis of business needs and the results of analysis and assessment of IS risks, specifically, the analysis of current threats and the costs of implementing and maintaining risk management measures. Periodic assessment of the effectiveness of the measures and the protection mechanisms used shall be carried out.
- Minimizing the limiting impact on business processes. The organizational and technical measures applied by the ISMS shall exert a minimal impact on the functioning and characteristics of the Group's business processes.
- Perspective and focus on existing Russian and international open standards. The organizational and technical measures of the ISMS shall be implemented with account taken of global trends in the IS domain. The focus on open standards makes it possible to leverage cumulative global experience in the IS domain, and also ensures the transparency of IS processes and ease of interaction within the framework of IS tasks.
- Continuity of operation. Fault tolerance, reliability, availability and the correct functioning of organizational and technical measures of the ISMS shall be ensured.
- Continuity of improvement. A continuous cycle of development and improvement of the ISMS shall be implemented in order to successfully counter information security threats in a constantly evolving external and internal environment.
- Personal responsibility. Each employee of the Group shall be personally responsible for performing the functions and requirements assigned to him/her within the framework of ISMS operations.
- Control. The Group's employees shall be constantly monitored for compliance with IS requirements.
The management shall regularly evaluate the Group's performance in accordance with the requirements of ISO/IEC 27001: 2013 and shall be responsible for monitoring implementation of the provisions of this policy.
The Group’s Technical Director shall assume the obligation to carry out periodic checks of ISMS efficiency and shall be personally responsible for its effectiveness, efficiency and improvement. The management guarantees the provision of conditions and resources for the implementation of this Policy, shall be responsible for bringing the provisions of this Policy to the attention of all employees of the ISMS scope to pool efforts in order to achieve the stated goals.