Security Policy

Sharpist Security Practices


The security policy adopted by the Sharpist management is implemented within the framework of a program. Protection goals of information security, such as confidentiality, availability and integrity of data, IT systems and their infrastructure are to be ensured.

Sharpist's corporate assets that require a high level of protection include:

  • The Sharpist Coaching Platform;
  • Sharpist source code and other sensitive data;
  • Personal and other sensitive information that Sharpist collects in the course of its business, including customer, partner, supplier and employee data processed in Sharpist's internal IT systems.

Sharpist's goal is to ensure that Sharpist's products and the components and systems necessary for their operation are protected to the best of its ability from, for example, theft of information, willful or malicious modification of software, inappropriate use, outside threats. The developers of the Sharpist Coaching platform take into account the principle of secure design at every stage of the product development and life cycle of the software. This applies to the phases of specification, development, testing and maintenance of the products.

Industry standards and certifications

The Sharpist Security Policy covers security management for both internal Sharpist operations and the services Sharpist provides to its customers, and applies to all Sharpist personnel, such as employees and contractors. These policies are aligned with ISO/IEC 27002:2013 and ISO/IEC 27001:2013 standards and guide all areas of security within Sharpist.

Organizations for the security oversight of companies

Information security management is the responsibility of the CISO (Chief Information Security Manager) appointed by the management. This position is established as a staff position in Sharpist and reports directly to the Executive Board. Tasks include strategic planning and development of concepts, standards and policies for information security; technical implementation of IT security; and management and coordination of security measures in compliance with ISO 27001 standards. In addition, the CISO is responsible for coordinating and training departmental security coordinators; incident and configuration management; and continuous analysis and optimization of IT security strategies based on business processes.

Furthermore, they organize the analysis and assessment of risks for information security; the planning and implementation of security concepts in close cooperation with the specialist departments and IT); as well as the execution and support/supervision of audits. He is responsible for organizing and coordinating information security awareness and training activities. The Chief Information Security Officer (CISO) leads the functional team directly responsible for identifying and implementing security measures at Sharpist. This   drives   the   company's   security   program, defines the company's security policies, assesses compliance, and provides operational oversight of the multi-dimensional aspects of Sharpist security policies and practices:

  • Information Security
  • Physical Security
  • Security architecture

Information Security Team


The information security team is responsible for:

  • Security oversight
  • Compliance with and enforcement of security regulations
  • Conducting information security assessments that
  • The development of an information security policy and strategy, and
  • Training and awareness-raising at company level

The   Information   Security   Team   serves   as   the   primary   point   of   contact   for   security incident response and provides overall direction for incident prevention, identification, investigation, and resolution. Programs within the Information Security team are dedicated to maintaining the confidentiality, integrity, and availability of Sharpist information resources and Sharpist entrusted information resources, including a focus on:

  • Definition of technical corporate standards to ensure security, data protection and compliance;
  • Supporting security authorities in promoting a culture of security in all regions and functional areas.

Information Security Manager

The Information Security Manager (ISM) serves as a security officer to increase awareness of and compliance with Sharpist security policies, processes, standards and initiatives.

Physical security


The responsibilities of the Physical Security Officers include defining, developing, implementing and managing all aspects of physical security to protect Sharpist employees, facilities, the company and assets.

Risk-based approach

Sharpist uses a risk-based approach to physical and environmental security to effectively balance prevention, detection, protection and response while maintaining a positive work environment that fosters innovation and collaboration among Sharpist employees and partners. Sharpist conducts regular risk assessments to confirm that the proper and effective mitigation measures are in place and being maintained.

Supervision of the security architecture


The Sharpist Security Architecture team helps set the technical direction for internal information security and guides Sharpist departments and business units in delivering information security and identity management solutions that advance Sharpist's information security goals. The Security   Architect collaborates with Information Security and Software Development, communicating and implementing enterprise security architecture roadmaps. The security architecture team manages a variety of programs and uses various methods of collaboration with leadership and security teams responsible for operations, services, cloud and all other Sharpist business units. Procedure:

  • Pre-assessment: the risk management team must conduct a pre-assessment of each project against the approved template;
  • The security architecture team reviews the submitted plans and performs a technical  security  design review;
  • Security assessment review: Based on the risk level, systems and applications are subjected to a security review prior to production use.

Human Resources Security


Sharpist maintains high standards of ethical business conduct at every level of the organization at which Sharpist does business. These apply to Sharpist employees and contractors and address legal and regulatory compliance, business conduct and relationships and are set forth in the Sharpist Compliance Policy.

Emphasis on Human Resources Security

Sharpist places a high priority on Human Resources Security. The company continuously implements initiatives to help minimize risks associated with human error, theft, fraud  and misuse  of facilities, including  personnel screening, confidentiality agreements, security awareness education and training, and enforcement of disciplinary actions.

Employee screening

Pre-employment background checks and interviews for newly hired personnel are conducted according to Sharpist policies.

Obligation to maintain confidentiality

Sharpist employees are required to maintain the confidentiality of customer information. Employees must sign a confidentiality agreement and comply with the company's policy on protecting confidential information as part of their original terms and conditions of employment. Sharpist obtains a written confidentiality agreement from each subcontractor before that subcontractor provides services.

Security awareness education and training

Sharpist promotes security awareness and trains employees on a regular basis. Each employee is required to complete information security training upon hire and annually thereafter. This training educates employees about their obligations under Sharpist's privacy and security policies and principles.

Law Enforcement

Periodically,   security reviews,   assessments and audits are conducted to confirm compliance with   Sharpist's information security policies,   procedures and practices. Employees who fail to comply with these policies, procedures and policies may be subject to disciplinary action, up to and including termination of employment.

Sharpist asset management policy


Sharpist's Acceptable Use Policy provides guidance to all Sharpist employees and business partners regarding information classification schemes and the minimum handling requirements associated with those classifications. Sharpist categorizes confidential information into four classes - public, internal, confidential, and strictly confidential - with each classification requiring appropriate security measures, such as encryption requirements for data classified as confidential or strictly confidential.

Training and awareness

During Sharpist's mandatory training, employees are informed about the company's data protection policy. This training will also include the employees understanding of the classification. Employees must complete this training when they join Sharpist and repeat it periodically thereafter.

System inventory

The development and maintenance of an accurate system inventory is a necessary element for effective overall information system management and operational reliability. Sharpist's Asset Management Policy requires that an accurate and up-to-date inventory be maintained for all information systems that contain critical and highly critical information assets in Sharpist infrastructures.

The required technical and business information falls into the following categories:

  • Hardware details such as manufacturer, model number, and serial number of the equipment, system, or device;
  • Physical location of the data center/facility and location within the building;
  • Software details such as operating system and applications and associated versions
  • Classification of information goods;
  • Ownership information at organizational and individual level.

Sharpist access control


Access control refers to the policies, procedures, and tools that govern access to and use of resources.
Examples of resources include a physical server, a file, a directory, a service running on an operating system, a table in a database, or a network protocol.

  • Least Privilege is a system-oriented approach in which user privileges and system functionality   are carefully evaluated and access is limited to the resources that users or systems need to perform their tasks.
  • Default deny is a network-oriented approach that implicitly denies the transmission of all   traffic and then specifically allows only the required traffic based on protocol, port, source, and destination.

Sharpist's access control policies and practices

The Sharpist Access Control Policy applies to access control decisions for all Sharpist employees and all information processing facilities for which Sharpist has administrative authority. This policy does not apply to publicly accessible Internet-facing Sharpist systems or end users.

Privilege management

Authorization depends on successful authentication, as control  of access to certain resources depends on establishing the identity of an entity or person. All Sharpist authorization decisions for granting, approving, and verifying access are based on the following principles:

  • Need-to-Know: Does the user need this access for their job function?
  • Separation of duties: Does access lead to a conflict of interest?
  • Least Privilege is access limited to only those resources and information necessary for a legitimate business purpose?

User password management

Sharpist enforces strong password policies for the Sharpist network, operating system, and database accounts to reduce the chances of intruders gaining access to systems or environments by exploiting user accounts and associated passwords.

Periodic review of access rights

Sharpist regularly reviews network and operating system accounts with respect to appropriate employee access levels. In the event of employee terminations, deaths or resignations, Sharpist will take appropriate action to immediately terminate network, telephony and physical access.

Password Policy

The use of passwords is covered in Sharpist  Policy  for Passwords. Sharpist employees are required to follow rules for password length and complexity and to keep their passwords confidential and secure   at all times. Passwords may not be disclosed to unauthorized individuals. Under certain circumstances, authorized Sharpist employees may share passwords for the purpose of providing support services.

Network access measures

Sharpist has implemented and maintains strong network measures to ensure the protection and control of customer data as it is transferred from one end system to another. Sharpist's Access Control Policy states that endpoints connected to the Sharpist network must meet well-established standards for security, configuration, and access method.

Security principles for Network communications


For administration of network security and network management devices, Sharpist requires IT personnel to use secure protocols with authentication, authorization, and strong encryption. Network devices must be located in an environment protected and with physical access controls and other standards for physical security measures. Communications to and from the Sharpist enterprise network must pass through network security devices at the border of the internal Sharpist enterprise network. Access to the Sharpist corporate network by suppliers and third parties is subject to limitations and prior approval per Sharpists Network Access Policy..

Asset Management

Network devices must be registered in a Sharpist approved  information system inventory in accordance with Sharpist policy. This policy requires accurate inventory and documented ownership of all information systems that process critical and highly critical information assets throughout their lifecycle using an approved inventory system.

Wireless networks

The Sharpist Security Policy governs the deployment and use of wireless networks and connectivity for accessing the Sharpist enterprise network. Sharpist manages wireless networks and monitors unauthorized wireless networks.

Data security


Sharpist's Information Asset Classification determines the enterprise's data security requirements for Sharpist - managed systems. Sharpist policies and standards provide guidance on appropriate measures to protect the confidentiality, integrity, and  availability of enterprise data in accordance   with the data classification. The required mechanisms are designed to be consistent with the type of enterprise data being protected. For example, security requirements are higher for sensitive or valuable data such as cloud systems, source code, and employment records. Security measures Sharpist can be divided into three categories: administrative, physical and technical security measures.

  • Administrative measures, including logical access control and personnel processes;
  • Physical  measures  designed   to   prevent   unauthorized   physical  access  to  servers  and data   processing environments;
  • Technical measures, including secure configurations and encryption for data at rest and in transit (Data at Rest, Data in Motion).

Sharpist's security policy for endpoints (stationary and mobile)


The Sharpist policy mandates the use of antivirus, IPS (intrusion prevention system), and firewall software on endpoints - to the extent possible. In addition, automated security updates and virus signature updates must be enabled  on all endpoints. Endpoints that process Sharpist or customer data  will  be encrypted with approved software.

Protection against malicious code

Sharpist employees must follow Sharpist email instructions and are responsible for immediately reporting to the Sharpist employee help desk any virus or suspected virus infestation that cannot be remedied by anti-virus software. Employees are prohibited from modifying, disabling, or removing antivirus software and the security update service from any terminal device. Sharpist employees who violate this standard may be subject to disciplinary action, up to and including termination of employment.

Terminal devices encryption

To protect sensitive Sharpist information, Sharpist employees must install Sharpist-approved encryption software on their endpoints.

Mobility management for companies

Sharpist deploys a mobile device management solution to protect data on employee-operated mobile devices. These solutions support all major mobile device operating systems and platforms. Sharpist's IT and security organizations regularly promote mobile device security awareness and best practices.

Data security: physical and environmental controls

Preventive Measures: Protection of Sharpist Assets and Employees

Sharpist has implemented the following protocols:

  • Physical access to the facilities is limited to Sharpist employees, contractors and authorized visitors;
  • Visitors are required to be escorted and/or observed  when on Sharpist premises and/or bound by the terms of a confidentiality agreement with Sharpist;
  • Sharpist monitors the possession of keys/access cards and the ability to access facilities. Employees who leave Sharpist employment must return keys/cards and keys/cards will be deactivated upon termination.

Data center security

Sharpist's systems run in data centers that help protect the security and availability of customer data. This approach begins with Sharpist's site selection process. Sharpist systems house and use redundant power sources and maintain generator backups in case of widespread power outages. They are closely monitored for air temperature and humidity, and fire suppression systems are in place. Data center personnel are trained in incident response and escalation procedures to respond to potential security and availability events.

Sharpist Communication and Operations Management


Sharpist security programs are designed to protect the confidentiality, integrity, and availability of both Sharpist and customer data. Sharpist continually works to strengthen and improve the company's security measures and practices for its internal operations and services.

Acceptable use

Sharpist has formal requirements for the use of the Sharpist corporate network, computer systems, telephony systems, messaging  technologies, Internet access, and other corporate resources available to Sharpist employees and contractors.

General security principles for communication

Communications to and from the Sharpist corporate network must be routed through network security devices at the network boundary.

Separation of duties and awareness of the principles

Sharpist enforces clearly defined roles that allow segregation of duties among operations personnel. Operations is organized into functional groups, with each function performed by separate groups of employees. Examples of functional groups include database administrators, system administrators, and network engineers.

Monitoring and protection of audit log information

Sharpist logs certain security-related activities on operating systems, applications, databases and network devices. Systems are configured to log access to Sharpist programs as well as system warnings, console messages, and system errors. Sharpist implements controls designed to protect against operational problems, failure to record events, and/or log overwriting. Sharpist reviews logs for forensic purposes and incidents and identifies anomalous activity that feeds into the security incident management process. Access to security logs is granted on a need-to-know and least privilege basis. When possible, log files are protected by strong cryptography in addition to other security controls, and access is monitored. Logs generated by systems that are accessible via the Internet are moved to systems that are not accessible via the Internet.

Asset Management

Sharpist's inventory management for information systems requires an accurate inventory of all information systems and devices that contain critical and highly critical information assets throughout their lifecycle via a Sharpist inventory  system. This policy defines the required identification attributes to be recorded  for server hardware,   software, data held   on information systems,   and information needed for disaster recovery and business continuity purposes.

Communication Technology

Sharpist manages enterprise  solutions for collaboration  and communication  within Sharpist and with external parties. Sharpist's policies require that employees use these approved corporate tools when handling confidential information. Sharpist has defined standards for secure information exchange with suppliers and other third parties.

Security and warranty Sharpist supply chain


Sharpist customers rely on Sharpist solutions to protect their data. Sharpist takes great care in the development of its systems. Sharpist has formal policies and procedures in place to ensure the security of its supply chain. These policies and procedures explain how Sharpist selects third-party vendors to embed into Sharpist systems. Sharpist also has formal requirements for its suppliers and partners to confirm that they will protect the data and assets of Sharpist and third parties entrusted to them.


Sharpist's   supply   chain   risk   management   practices   focus   on   quality,   availability,   continuity   of   supply   and resilience in Sharpist's direct supply chain, as well as authenticity and security Sharpist platform and services. Other securtiy processes focus on security and product protection during transportation, shipping and storage.

Privacy at Sharpist

You can find more information on data protection at

Incident response


Following recommended practices  in common security  standards  issued by the International Organization  for Standardization (ISO) and other industry sources, Sharpist has implemented a variety of preventive, detective, and corrective security measures with the goal of protecting information assets.

Network protection

Sharpist network protections include solutions to ensure service continuity and defend against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. Events are analyzed using signature detection, which is a pattern matching of environment settings and user activity against a database of known attacks. Sharpist updates the signature database frequently.

Incident response

Sharpist evaluates and responds to incidents that raise suspicion of unauthorized access to or handling of customer data, whether the data  resides on Sharpist hardware assets or on the personal hardware assets of Sharpist employees. Sharpist's  Information Security Incident Handling Policy defines incident reporting and response requirements. This policy authorizes the Information Security Team to serve as the primary point of contact for security incident response and to provide overall direction for incident prevention, identification, investigation, and resolution. Corporate requirements for incident response programs and response teams are defined per incident type:

  • Validation that an incident has occurred
  • Communication with relevant parties and notifications
  • Preservation of evidence
  • Documenting an incident itself and the response activities associated with it
  • Containment of an incident
  • Elimination of an incident
  • Escalating an incident

Upon discovery of an incident, Sharpist defines an incident response plan for rapid and effective incident investigation, response, and recovery. Root cause analysis is performed to identify opportunities for appropriate actions to improve the security posture and defense in detail. Formal procedures and centralized systems are used to gather information and maintain a chain of evidence during the investigation of an incident. Sharpist is able to support legally permissible forensic data collection as needed.


In the event that Sharpist determines that a security incident has occurred, Sharpist will immediately notify all affected customers or other third parties in accordance with its contractual and legal obligations. Information about malicious attempts or suspected incidents is confidential to Sharpist and will not be disclosed to outside parties. Incident history is also Sharpist confidential and will also not be shared externally.

Business Continuity Management

The Sharpist Business Continuity Management policy defines requirements and standards on business interruption events. It also establishes the functional roles and responsibilities required to establish, maintain, test, and evaluate the business continuity capability for Sharpist across business units and locations. It defines the responsibilities for monitoring compliance with the program.