Política de Segurança da Informação

Introdução

Crowdin Information Security Policy (hereinafter the Policy) defines the objectives and basic principles of information security. Information security means implementation and maintenance of the appropriate level of its properties. The Policies requirements apply to the entire Crowdin organization and all business processes, and are available mandatory for all employees as well as those involved in these business processes. Compliance with the requirements of the Policy is an important aspect for achieving Crowdin’s strategic goals and objectives.

Crowdin information security policy meets the requirements of ISO / IEC 27001: 2013 and DSTU ISO / IEC 27001: 2015.

This policy sets up:

  • The context of the Organization
  • Internal and external issues relevant to the purpose of Crowdin
  • Interested parties that are relevant to the Information security management systems (hereinafter ISMS)
  • The requirements of these interested parties relevant to the ISMS
  • Information security objectives
  • Information security policy commitments
  • Responsibilities for Information Security
  • Measurement

Information security processes are described, formally defined and approved Crowdin’s guidance in the form of standards, policies, regulations and other internal regulatory documents.

Context of the organization

According to ISO, defining the context of an Organization is a “business environment”, “a combination of internal and external factors and conditions that may influence the organization’s approach to its products, services and investments and interested parties”.

Crowdin is a product company with more than 1.5 million user accounts.

Crowdin’s software solution empowers companies of any shape and size to accelerate their growth by reaching people who speak different languages. Crowdin team works passionately toward a shared goal: to expand the potential of agile localization. From day one till now, Crowdin’s mission has always been to keep it simple and wow Crowdin’s customers with an outstanding user experience and the latest technology solutions.

Crowdin’s main industrial sector is Software as a service.

The purpose of the ISMS is to ensure that Crowdin is still able to meet its defined business objectives and comply with its policies in the face of potential and actual security incidents. Policies have been set by the organization in a variety of areas and these must be taken account of during the information security planning process to ensure that they are met.

The main relevant policies are:

  • Business Continuity Plan
  • Information Security Management Framework
  • Risk Assessment Methodology
  • Risk Treatment Guideline
  • Incident Response Plan
  • Acceptable Use Policy
  • Access Control Policy
  • Clear Desk and Clear Screen Policy
  • Control Against Malware Policy
  • Cryptography Policy
  • Human Resources Security Policy
  • Information Backup Policy
  • Information Classification and Labeling Policy
  • IS Risk Management Policy
  • Logging and Monitoring Policy
  • Monitoring and evaluating the effectiveness of ISMS Policy
  • Network Security Policy
  • Password Policy
  • Physical Security Policy
  • Security in Development and Maintenance Processes Policy
  • Segregation of Duties Policy
  • Supplier Relationship Security Policy
  • Workstation Security Policy
  • Сhange Management Policy
  • Communication Procedure
  • Corrective and Preventive Actions Procedure
  • Disciplinary procedure
  • Document control procedure
  • Internal Audit Procedure
  • Inventory and assessment of information assets procedures
  • Risk Management Procedure
  • Maintaining confidentiality in the work
  • Management Review Procedure
  • User Access Management Procedure

Internal and external issues

There are a number of internal and external issues that are relevant to the purpose of Crowdin and that affect the ability of the ISMS to achieve its intended outcomes.

Internal issues:

  • Adopted standards, guidelines and models
  • Significant organizational changes
  • Governance and organizational structure
  • Contractual relationships
  • Resources and knowledge (e.g., capital, people, processes and technologies)
  • Relationship with your staff and stakeholders, including partners and suppliers
  • etc.

External issues:

  • Changes in technology
  • Government regulations and changes in the law
  • Competition
  • Economic shifts in the market
  • Supply chain
  • Society and culture
  • Interest and inflation rate
  • Data protection
  • Supporting technologies and infrastructure
  • Automation and artificial intelligence
  • Military and political shifts
  • etc.

These general internal and external issues will be considered in more detail as part of the risk assessment process and will be regularly reviewed and monitored.

The interested parties that are relevant to the ISMS of Crowdin have been determined below with their individual expectations.

An interested party is defined as a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity. The following are defined as interested parties that are relevant to the ISMS:

  • Business Owners
  • Governance
  • Clientes
  • Suppliers and partners
  • Regulatory bodies
  • Customer user groups
  • Emergency Services
  • Employees of the Organization
  • Contractors providing services to the Organization
  • Competitors
  • Investors
  • The media
  • Auditor
Interested party    Expectations Requirement
Owners of the business Effective information security influences the organisation’s financial success Return on capital
Governance Organisational reputation must be protected Documentary and practical confirmation of the implementation of ISMS
Customers, Customer user groups The confidentiality, integrity and availability of data is secured at all times ISMS ISO 27001 Certificate
Suppliers and partners Adhering to agreements and payment terms Evidence of adhering to agreements and payment terms
Regulatory bodies The activities of the Organization comply with current legislation Official confirmation of legal requirements (reports, certificates, etc.)
Employees of the Organization Personal data security, social welfare benefits, appropriate remuneration, training & support, safe working environment etc. Legislative documents and regulations, NDA terms & conditions, clear instructions on how to handle sensitive data etc.
Contractors providing services to the Organization Adhering to agreements and payment terms; Personal data security, social welfare benefits, appropriate remuneration Evidence of adhering to agreements and payment terms; Legislative documents and regulations, NDA, clear instructions on how to handle sensitive data etc.
Competitors The Organization responding to rival marketing campaigns with its own initiatives and set prices competitively Results of market monitoring
Investors Profitability, expected return on investment Return on investment, Financial Statements
The media Transparency regarding security incidents Coverage of data breaches and a wider public interest in the way organisations protect personal information
Auditors Expect that a proportionate level of security controls are in place at all times to protect assets Documentary and practical confirmation of the implementation of ISMS
Emergency Services Safe working environment etc. Fire Safety, First aid provision etc.

Information security objectives:

  • Ensure the effective functioning of the ISMS in accordance with the requirements of ISO / IEC 27001: 2013, which will allow Crowdin to be a certified company and trusted supplier for its customers (View Certificate).
  • Ensure uninterrupted operation of the company and provision of services, regardless of external and internal issues.
  • Ensure the availability, integrity and confidentiality of both customer and employee data, confidentiality of internal business processes. Minimize the number and consequences of information security incidents and their impact.
  • The goals of information security correspond to the interests of the company.

Planning to achieve information security objectives

ISMS Committee, which is a collegial permanent body, CISO, should keep company policies in the actual state, ensure their integration into organizational processes.

For this purpose, ISMS committee members can make suggestions regarding the updating of documents, and approve them at the meetings of the committee. ISMS team considers security incidents, if they have occurred, creates a plan for ISMS improvements and do an analysis of what was done at the previous period.

Annual training is held on the content of information security policies, general principles of information security. In addition to annual training, people who start cooperation undergo training before they receive access to confidential data. Compliance with onboarding training requirements is monitored by the HR manager.

The system administrator provides control over the fulfillment of requirements for the use of information systems and equipment. It is described in more detail in the ISMS-PL Workstation security policy.

The CISO organizes regular activities such as BCP plan testing, backups, and staff training, reassessment of risks, formation of a risk treatment plan, records all information security incidents, and is responsible for investigating suspected incidents.

The results of ISMS work are evaluated annually at the management review meeting, at internal and certification audits.

The company allocates the necessary resources to ensure business continuity in accordance with the BCP plan, the ISMS committee helps in ensuring its operability.

For ISMS establishment Crowdin is obliged to:

  • Comply with both the law and ISO / IEC 27001: 2013 requirements
  • Develop and adhere to all ISMS policies and procedures and ensure their integration into organizational processes
  • Satisfy applicable requirements related to information security
  • Review and continual improvement of the information security management system
  • Be open and honest with individuals whose data is held
  • Provide training and support for staff who handle ISMS, so that they can act confidently and consistently
  • Ensure the compatibility of information security policies and objectives with Crowdin’s strategic objectives

Responsibilities for Information Security

Crowdin governance clearly understands that information security is the foundation life of Crowdin. Crowdin management contributes to the creation, implementation, control and support of the Policy information security.

Information Security Policy documents are developed by the ISMS Committee and other departments according to the relevant areas of activity.

The ISMS Committee is responsible for defining information security requirements and overseeing their implementation in Crowdin.

Statutory, regulatory, and contractual requirements

Crowdin information security measures meet the business needs and the requirements legislation of Estonia, Ukraine, ISO / IEC 27001: 2013, internal regulations Crowdin.

The organization of any process or making changes to existing process is carried out taking into account information security. Evaluation of the effectiveness of the ISMS is carried out on a regular basis.

Crowdin’s internal independent information security audit will be conducted annually during the ISMS functional cycle.