Bilgi Güvenliği İlkesi

Giriş

Crowdin Bilgi Güvenliği İlkesi (bundan böyle İlke) bilgi güvenliğinin amaçlarını ve temel ilkelerini tanımlar. Bilgi güvenliği, özelliklerinin uygun düzeyinin uygulanması ve sürdürülmesi anlamına gelir. İlkeler gereksinimleri tüm Crowdin kuruluşu ve bütün iş süreçleri için geçerlidir ve bu iş süreçlerine dahil olanların yanı sıra tüm çalışanlar için zorunludur. İlkenin gerekliliklerine uygunluk Crowdin’in stratejik amaç ve hedeflerine ulaşmak için önemli bir husustur.

Crowdin bilgi güvenliği ilkesi ISO / IEC 27001: 2013 ve DSTU ISO / IEC 27001: 2015 gereksinimlerini karşılar.

Bu ilke şunları ayarlar:

  • Kuruluşun bağlamı
  • Crowdin’in amacı ile ilgili iç ve dış konular
  • Bilgi güvenliği yönetim sistemleriyle ilgili, ilgili taraflar (bundan böyle ISMS)
  • Bu ilgili tarafların ISMS ile ilgili gereksinimleri
  • Bilgi güvenliği hedefleri
  • Bilgi güvenliği ilkesi taahhütleri
  • Bilgi Güvenliği sorumlulukları
  • Ölçüm

Bilgi güvenliği süreçleri, Crowdin’in rehberliğini standartlar, ilkeler, düzenlemeler ve diğer iç düzenleyici belgeler şeklinde açıklar, resmi olarak tanımlar ve onaylar.

Kuruluşun bağlamı

ISO’ya göre, bir Kuruluşun bağlamını tanımlamak bir “iş ortamı”, “kuruluşun yaklaşımının onun ürününü, hizmetini ve yatırımlarını ve ilgili taraflarını etkileyebilecek iç ve dış etkenlerin ve koşulların birleşimidir”.

Crowdin, 1.5 milyondan fazla kullanıcı hesabına sahip bir ürün şirketidir.

Crowdin’in yazılım çözümü, farklı dilleri konuşan insanlara ulaşarak büyümelerini hızlandırmak için herhangi bir şekil ve boyuttaki şirkete güç verir. Crowdin ekibi, paylaşılan bir hedefe doğru tutkuyla çalışır: çevik yerelleştirme potansiyelini genişletmek için. İlk günden bugüne kadar Crowdin’in görevi bunu her zaman basit tutmak ve Crowdin’in müşterilerini olağanüstü bir kullanıcı deneyimi ve en son teknoloji çözümleriyle şaşırtmak olmuştur.

Crowdin’s main industrial sector is Software as a service.

The purpose of the ISMS is to ensure that Crowdin is still able to meet its defined business objectives and comply with its policies in the face of potential and actual security incidents. Policies have been set by the organization in a variety of areas and these must be taken account of during the information security planning process to ensure that they are met.

The main relevant policies are:

  • Risk assessment and risk treatment methodology
  • Risk treatment plan
  • Inventory of assets and information classification Policy
  • Acceptable use of assets
  • Access Control Policy
  • Business continuity strategy and procedures
  • Information Security Incident Management Policy
  • Data Protection Policy
  • Procedure for document control
  • Physical and Environmental Policy and Standard Operating Procedures
  • Cyber Security Policy
  • Backup policy
  • Human resource security policy
  • Operating procedures for IT management
  • Supplier Security Policy
  • Change Control Policy
  • Definition of roles and responsibilities Policy
  • Procedure for internal audit
  • etc.

Internal and external issues

There are a number of internal and external issues that are relevant to the purpose of Crowdin and that affect the ability of the ISMS to achieve its intended outcomes.

Internal issues:

  • Adopted standards, guidelines and models
  • Significant organizational changes
  • Governance and organizational structure
  • Contractual relationships
  • Resources and knowledge (e.g. capital, people, processes and technologies)
  • Relationship with your staff and stakeholders, including partners and suppliers
  • etc.

External issues:

  • Changes in technology
  • Government regulations and changes in the law
  • Competition
  • Economic shifts in the market
  • Supply chain
  • Society and culture
  • Interest and inflation rate
  • Data protection
  • Supporting technologies and infrastructure
  • Automation and artificial intelligence
  • etc.

These general internal and external issues will be considered in more detail as part of the risk assessment process and will be regularly reviewed and monitored.

The interested parties that are relevant to the ISMS of Crowdin have been determined below with their individual expectations.

An interested party is defined as a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity. The following are defined as interested parties that are relevant to the ISMS:

  • Business Owners
  • Governance
  • Müşteriler
  • Suppliers and partners
  • Regulatory bodies
  • Customer user groups
  • Emergency Services
  • Employees of the Organization
  • Contractors providing services to the Organization
  • Competitors
  • Investors
  • The media
  • Auditor
Interested party    Expectations Requirement
Owners of the business Effective information security influences the organisation’s financial success Return on capital
Governance Organisational reputation must be protected Documentary and practical confirmation of the implementation of ISMS
Customers, Customer user groups The confidentiality, integrity and availability of data is secured at all times ISMS ISO 27001 Certificate
Suppliers and partners Adhering to agreements and payment terms Evidence of adhering to agreements and payment terms
Regulatory bodies The activities of the Organization comply with current legislation Official confirmation of legal requirements (reports, certificates, etc.)
Employees of the Organization Personal data security, social welfare benefits, appropriate remuneration, training & support, safe working environment etc. Legislative documents and regulations, NDA terms & conditions, clear instructions on how to handle sensitive data etc.
Contractors providing services to the Organization Adhering to agreements and payment terms; Personal data security, social welfare benefits, appropriate remuneration Evidence of adhering to agreements and payment terms; Legislative documents and regulations, NDA, clear instructions on how to handle sensitive data etc.
Competitors The Organization responding to rival marketing campaigns with its own initiatives and set prices competitively Results of market monitoring
Investors Profitability, expected return on investment Return on investment, Financial Statements
The media Transparency regarding security incidents Coverage of data breaches and a wider public interest in the way organisations protect personal information
Auditors Expect that a proportionate level of security controls are in place at all times to protect assets Documentary and practical confirmation of the implementation of ISMS
Emergency Services Safe working environment etc. Fire Safety, First aid provision etc.

Information security objectives:

  • Establish and ensure the effective functioning of the ISMS in accordance with the requirements of ISO / IEC 27001: 2013, which is the fundamental link that provides information security
  • Obtain the Certificate ISO / IEC 27001: 2013 in accordance with the Project Plan for the development and implementation of ISMS in CROWDIN
  • Ensure Crowdin business continuity supplementing existing policies
  • Minimize the number and consequences of information security incidents

Planning to achieve information security objectives

The achievement of information security goals will be carried out according to the Project Plan for the development and implementation of ISMS in CROWDIN, approved by the ISMS Committee, which is a collegial permanent body established in accordance with the decision of the Director of OÜ CROWDIN

The main stages of the organization of ISMS are:

  • Preparation for implementation
  • Description of existing infrastructure and security measures
  • Information security risk assessment
  • Planning a set of measures to minimize risks
  • Approval and implementation of a set of measures
  • Staff training
  • Compiling reports on the state of information security

For ISMS establishment Crowdin is obliged to:

  • Comply with both the law and ISO / IEC 27001: 2013 requirements
  • Develop and adhere to all ISMS policies and procedures and ensure their integration into organizational processes
  • Satisfy applicable requirements related to information security
  • Review and continual improvement of the information security management system
  • Be open and honest with individuals whose data is held
  • Provide training and support for staff who handle ISMS, so that they can act confidently and consistently
  • Ensure the compatibility of information security policies and objectives with Crowdin’s strategic objectives

Bilgi Güvenliği sorumlulukları

Crowdin governance clearly understands that information security is the foundation life of Crowdin. Crowdin management contributes to the creation, implementation, control and support of the Policy information security.

Information Security Policy documents are developed by the ISMS Committee and other departments according to the relevant areas of activity.

The ISMS Committee is responsible for defining information security requirements and overseeing their implementation in Crowdin.

Statutory, regulatory, and contractual requirements

Crowdin information security measures meet the business needs and the requirements legislation of Estonia, Ukraine, ISO / IEC 27001: 2013, internal regulations Crowdin.

The organization of any process or making changes to existing process is carried out taking into account information security. Evaluation of the effectiveness of the ISMS is carried out on a regular basis.

Crowdin’s internal independent information security audit will be conducted annually during the ISMS functional cycle.