信息安全政策

简介

Crowdin Information Security Policy (hereinafter the Policy) defines the objectives and basic principles of information security. 信息安全是指实施和维护其适当水平。

The Policies requirements apply to the entire Crowdin organization and all business processes, and are available mandatory for all employees as well as those involved in these business processes. Compliance with the requirements of the Policy is an important aspect for achieving Crowdin’s strategic goals and objectives.

Crowdin information security policy meets the requirements of ISO / IEC 27001: 2022 and DSTU ISO / IEC 27001: 2015.

This policy sets up:

• 本组织的背景
• 与 Crowdin 宗旨有关的内部和外部问题
• 与信息安全管理系统（以下简称“ISMS”）相关的利益方
• 这些有关方面与 ISMS 有关的要求
• 信息安全目标
• 信息安全政策承诺
• 信息安全责任
• Measurement

Information security processes are described, formally defined and approved, Crowdin’s guidance in the form of standards, policies, regulations and other internal regulatory documents.

组织背景

According to ISO, defining the context of an Organization is a “business environment”, “a combination of internal and external factors and conditions that may influence the organization’s approach to its products, services and investments and interested parties”.

Crowdin is a product company with more than 2 million user accounts.

Crowdin’s software solution empowers companies of any shape and size to accelerate their growth by reaching people who speak different languages.

Crowdin team works passionately toward a shared goal: to expand the potential of agile localization. From day one till now, Crowdin’s mission has always been to keep it simple and wow Crowdin’s customers with an outstanding user experience and the latest technology solutions.

Crowdin’s main industrial sector is Software as a service.

The purpose of the ISMS is to ensure that Crowdin is still able to meet its defined business objectives and comply with its policies in the face of potential and actual security incidents.

Policies have been set by the organization in a variety of areas and these must be taken account of during the information security planning process to ensure that they are met.

The main relevant policies are:

• 业务连续计划
• 信息安全管理框架
• 风险评估方法
• 风险处理准则
• 事故反应计划
• 可接受的使用政策
• 访问控制政策
• Clear Desk and Clear Screen Policy
• 防止恶意软件控制政策
• 密码政策
• Human Resources Security Policy
• 信息备份政策
• Information Classification and Labeling Policy
• IS 风险管理政策
• 日志记录和监测政策
• 监测和评价 ISMS 政策的效力
• 网络安全政策
• 密码政策
• 人身安全政策
• 开发和维护过程中的安全政策
• Segregation of Duties Policy
• Supplier Relationship Security Policy
• 工作站安全政策
• Сhange Management Policy
• 联系程序
• Corrective and Preventive Actions Procedure
• 纪律程序
• Document control procedure
• 内部审计程序
• 信息资产盘点和评估程序
• 风险管理程序
• 保持工作保密
• 管理审查程序
• 用户访问管理程序
• Vulnerability Management Policy
• Security in Customer Support Policy

内部和外部问题

有一些内部和外部问题与 Crowdin 的宗旨相关，影响到 ISMS 实现预期成果的能力。

内部问题

• 采用的标准、准则和模式
• 重大的组织变化
• 治理和组织结构
• 合约关系
• Resources and knowledge (e.g. capital, people, processes and technologies)
• Relationship with staff and stakeholders, including partners and suppliers
• 其它

外部问题

• 技术的变化
• 政府条例和法律改革
• 竞争
• 市场的经济变化
• 供应链
• 社会和文化
• 利息和通货膨胀率
• 数据保护
• 技术支持和基础设施
• 自动化和人为情报
• Military conflicts and political changes
• 其它

These general internal and external issues will be considered in more detail as part of the risk assessment process and will be regularly reviewed and monitored.

The interested parties that are relevant to the ISMS of Crowdin have been determined below with their individual expectations.

利害关系方的定义是能够影响到的人或组织。 委员会还建议缔约国采取一切适当的措施，确保所有儿童都能得到保护，免受某项决定或活动的影响，或使他们感到自己受到某项决定或活动的影响。

以下被定义为与 ISMS 相关的关系方：

• 企业所有者
• 管理者
• 客户
• 供应商和合作伙伴
• 监管机构
• 客户用户组
• 应急服务
• 本组织的工作人员
• 向本组织提供服务的承包商
• 竞争对手
• 投资者
• 媒体
• 应急服务
• 审核员

关系方	期望	需求
企业所有者	Effective information security influences the organization’s financial success	资本收益
管理者	必须维护组织的声誉	文件和实际确认实施 ISMS
客户用户组	数据的保密性、完整性和可获得性在任何时候都是安全的	ISMS ISO 27001 证书
供应商和合作伙伴	遵守协议和付款条件	遵守协定和付款条件的证据
监管机构	本组织的活动符合现行立法	正式确认法律要求(报告、证书等)
本组织的工作人员	Personal data security, social welfare benefits, appropriate remuneration, training & support, safe working environment etc.	Legislative documents and regulations, NDA terms & conditions, clear instructions on how to handle sensitive data etc.
向本组织提供服务的承包商	遵守协议和付款条件； 个人数据安全、社会福利福利、适当报酬	Evidence of adhering to agreements and payment terms; Legislative documents and regulations, NDA, clear instructions on how to handle sensitive data etc.
竞争对手	The Organization responding to rival marketing campaigns with its own initiatives and set prices competitively	市场监测结果
投资者	Profitability, expected return on investment	投资回报，财务报表
媒体	Transparency regarding security incidents	数据违规行为的覆盖面和组织保护个人信息的更广泛的公众利益
Auditors	Expect that a proportionate level of security controls are in place at all times to protect assets	文件和实际确认实施 ISMS
应急服务	安全的工作环境等	消防安全、急救的提供等

信息安全目标：

• Ensure compliance with the requirements of ISO / IEC 27001: 2022 which will allow Crowdin to be a certified company and trusted supplier for its customers. (View Certificate). Ensure compliance with relevant laws, regulations (legislation of Estonia, Ukraine), contractual agreements, and organizational policies related to information security.
• Ensure the availability, integrity and confidentiality of both customer and employee data, confidentiality of internal business processes.
• Continuously reduce risks within the organization’s ISMS.
• Prevent or minimize potential IS incident damage.

This strategic objectives are supported by annual KPIs, described in more detail in the ISMS-PL-Monitoring and evaluating the effectiveness of ISMS Policy policy:

• Availability time of the service (>99,95% yearly)
• Data confidentiality incidents count (goal: 0)
• Data integrity incidents count (goal: 0)
• Physical security incidents count (goal: 0)
• Prioritized issues to be fixed immediately (goal: <100)
• Vulnerabilities count found during pentest (security level: strong or very strong)
• Vulnerabilities count found via reporting program (goal: no critical reports)
• Planned ISMS tasks done in previous period (goal: 100%)
• Quantity of unsuccessful or defective system updates (goal <25)
• Active risks distribution (decrease or increase of identified risks number) (goal <10 risks classified as very high)
• Phishing testing: percentage of compromised users (goal: 0%)

What will be done

Current policies, processes, and security measures will be continuously reviewed. Any gaps in alignment with ISO/IEC 27001:2022 standards will be identified and addressed.

A proactive risk management strategy will be maintained. This strategy includes conducting regular risk assessments, vulnerability scans, and security audits. Identified risks will be analyzed, and continuous mitigation measures will be implemented.

What resources will be required

• Professionals with expertise in information security, data protection, and risk management.
• Security technologies, including secure data storage solutions, device management solutions, encryption technologies, vulnerability assessment tools.
• Skilled auditors and analysts to assess the effectiveness of implemented security measures and identify areas for improvement.
• Access to up-to-date threat intelligence sources
• Adequate budget allocation to support investments in security technologies, personnel, training programs, and processes improvements.

Who will be responsible

The ISMS Committee has the final responsibility for Information Security Risks across Crowdin.

Detailed information about the functions, regulation, duties and responsibilities of the ISMS Committee is in the Regulation on ISMS Committee.

Managers/Head of Departments are responsible for information security within their departments/teams. They must ensure that the department/team has communicated their own informational security needs to the CISO.

CISO is clearly accountable for the provision of appropriate, timely advice to the management to ensure that an effective information risk management framework is implemented, operated and maintained in alignment with the business strategy, the business and the legal requirements.

All personnel, regardless of function, level and role, shall have explicit personal responsibilities for Information Security Management.

Responsibilities are described in detail in the ISMS-FR-Information Security Management Framework, and in other corresponding policies.

When it will be completed

Continuous monitoring and improvement of ISMS will be an ongoing task to maintain compliance.

Regular risk assessments and mitigation activities will be scheduled periodically. Vulnerability assessments will be conducted regularly as part of the organization’s ongoing security practices. Proactive measures will be implemented immediately upon identification of vulnerabilities to ensure continuous protection.

The Incident Response Plan is annually reviewed, updated and tested to ensure its effectiveness in minimizing potential damage in the event of a security incident.

How the results will be evaluated

Systems, processes and activities that can be monitored in the ISMS include, but are not limited to:

• Audit;
• Risk assessment process;
• Risk management of third parties;
• Business continuity management;
• The maturity of implementation of ISMS processes;
• Incident management;
• Vulnerability management;
• Configuration management;
• Training and level of awareness raising activities;
• Access control, firewall and other event logs;
• Management of physical and environmental safety; and
• System monitoring.

The organization’s compliance with ISO/IEC 27001:2022 is evaluated through internal audit, management review, ISMS committee meetings. Annual external audits conducted by certification bodies will further validate our compliance status.

Key performance indicators defined will be closely monitored. Any security breaches or incidents will trigger immediate investigation and corrective action to ensure the security of customer and employee data, as well as our internal business processes.

Monitoring and evaluating the effectiveness of ISMS processes is described in the ISMS-PL-Monitoring and evaluating the effectiveness of ISMS Policy