Information Security Policy Anna Sargsyan June 24, 2022

Information Security Policy

Synergy International Systems, Inc. (“Synergy”) (“the company”, “us”, “we”, or “our”) operates the www.synisys.com website (the “Service”).

This page informs you of our policies regarding all aspects of information management, such as all requirements and objectives for information security in the company, information custody ownership and usage, classification of information and information management principles, physical and environmental security issues, as well as sanctions applied in case of violation of information security policies.

By adopting this policy, we address security considerations and solutions for all existing computer information systems, devices, networks and coordinate those solutions with all relevant support groups.

Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms and Conditions, accessible from www.synisys.com

Roles and Responsibilities

The table below lists the roles with the overall responsibility for information security:

Role Responsibilities
ISMS Manager The ISMS Manager is responsible for the maintenance, update and monitoring of compliance with requirements of this policy. ISMS Manager has authority over the information security initiatives. ISMS Manager also reports to the CEO of the company.
Top Management The top management must support the work of the ISMS Manager by deciding upon the issues elevated to it by the ISMS Manager and making sure that all intensions of the Information Security Policy are being met in full.
IMS Board The Board is responsible for overseeing that all IT related services, new ones as well as the existing ones, are and remain, among other things, in compliance with the Information Security Policy. To this end, the ISMS Manager is participating in all IMS Board meetings.
System Administrators The role of the SA is to provide the necessary resources, which will enable secure, reliable and controlled data processing services. It will manage the implementation, control and maintenance of all facilities necessary to enable high standards of IT services the company expects and requires.

Information Classification

To ensure the appropriate management of all information assets and overall information security thereof, the company defines three information security classifications:

Information Type Definition
Confidential Confidential information is all information not to be disclosed without the permission of the owner. This information is of high specific or strategic value.
Restricted Restricted information is all information needed and generated for conducting or acquired on behalf of company’s day-to-day business operations.
Public Public information is all information intended for disclosure and distribution to the public. However, public information must be protected by copyrights

Paper based information must thereof be marked visibly according to its classification, whereas electronic information is mainly classified through access rights and password security, as well as system security. Classification of business and work related verbal information and conversations must be ensured by the overall awareness of company staff according to this policy.

Information Management Principles

The Company adopted the following principles, which continue to underpin this policy:

  • Information is protected in line with all relevant Company policies and legislation, notably those relating to data protection, human rights and freedom of information.
  • Each information asset has a nominated owner who is assigned responsibility for defining the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect the asset.
  • Information is made available solely to those who have a legitimate need for access.
  • All information is classified according to an appropriate level of security.
  • The integrity of information is maintained.
  • It is the responsibility of all individuals who have been granted access to information to handle it appropriately in accordance with its classification.
  • Information is protected against unauthorized access.
  • Compliance with the Information Security policy is enforced.

The information management and operational security principles of the company comply with national rules and regulations. Information has to be labelled and managed according to its classification. In cases of doubt about the information classification, the ISMS Manager has to be informed immediately. The ISMS Manager has then to decide about the handling of this information and must make sure, that all issues subject to this policy are fulfilled in full.

Paper based information must thereof be marked visibly according to its classification, whereas electronic information is mainly classified through access rights and password security, as well as system security. Classification of business and work related verbal information and conversations must be ensured by the overall awareness of company staff according to this policy.

Information Security and Awareness Training

The Information Security Policy applies to all company staff. Therefore, general awareness of information security matters must be raised by management and the ISMS Manager. Information security training must be part of the training for all staff. It must comprehensively inform about all matters subject to this policy and its supplementing guidelines and adhere to their intentions in full. Refresher information security training should be part of the general training schedule of the company.

Information Security Violation and Sanctions

All company staff is responsible for protecting company’s information assets and to comply with the Information Security Policy.

All staff must report violations of the principles defined herein or general breaches of information security to the ISMS Manager immediately. Details and circumstances of all violations must be investigated by the ISMS Manager and reported to management. Sanctions thereof must then be determined by management.

Concealment of violations of the principles defined herein or general breaches of information security must also be sanctioned.

Reporting on Information Security Events

Ad hoc reporting on Information Security events is done as defined in the Information Security Incident Management Procedure. Regular reporting on IS matters for purposes of steering and overall management is done on at least annual basis.