The security policy adopted by the Sharpist management is implemented within the framework of a program. Protection goals of information security, such as confidentiality, availability and integrity of data, IT systems and their infrastructure are to be ensured.
Sharpist's corporate assets that require a high level of protection include:
Sharpist's goal is to ensure that Sharpist's products and the components and systems necessary for their operation are protected to the best of its ability from, for example, theft of information, willful or malicious modification of software, inappropriate use, outside threats. The developers of the Sharpist Coaching platform take into account the principle of secure design at every stage of the product development and life cycle of the software. This applies to the phases of specification, development, testing and maintenance of the products.
The Sharpist Security Policy covers security management for both internal Sharpist operations and the services Sharpist provides to its customers, and applies to all Sharpist personnel, such as employees and contractors. These policies are aligned with ISO/IEC 27002:2013 and ISO/IEC 27001:2013 standards and guide all areas of security within Sharpist.
Information security management is the responsibility of the CISO (Chief Information Security Manager) appointed by the management. This position is established as a staff position in Sharpist and reports directly to the Executive Board. Tasks include strategic planning and development of concepts, standards and policies for information security; technical implementation of IT security; and management and coordination of security measures in compliance with ISO 27001 standards. In addition, the CISO is responsible for coordinating and training departmental security coordinators; incident and configuration management; and continuous analysis and optimization of IT security strategies based on business processes.
Furthermore, they organize the analysis and assessment of risks for information security; the planning and implementation of security concepts in close cooperation with the specialist departments and IT); as well as the execution and support/supervision of audits. He is responsible for organizing and coordinating information security awareness and training activities. The Chief Information Security Officer (CISO) leads the functional team directly responsible for identifying and implementing security measures at Sharpist. This drives the company's security program, defines the company's security policies, assesses compliance, and provides operational oversight of the multi-dimensional aspects of Sharpist security policies and practices:
The information security team is responsible for:
The Information Security Team serves as the primary point of contact for security incident response and provides overall direction for incident prevention, identification, investigation, and resolution. Programs within the Information Security team are dedicated to maintaining the confidentiality, integrity, and availability of Sharpist information resources and Sharpist entrusted information resources, including a focus on:
The Information Security Manager (ISM) serves as a security officer to increase awareness of and compliance with Sharpist security policies, processes, standards and initiatives.
The responsibilities of the Physical Security Officers include defining, developing, implementing and managing all aspects of physical security to protect Sharpist employees, facilities, the company and assets.
Sharpist uses a risk-based approach to physical and environmental security to effectively balance prevention, detection, protection and response while maintaining a positive work environment that fosters innovation and collaboration among Sharpist employees and partners. Sharpist conducts regular risk assessments to confirm that the proper and effective mitigation measures are in place and being maintained.
The Sharpist Security Architecture team helps set the technical direction for internal information security and guides Sharpist departments and business units in delivering information security and identity management solutions that advance Sharpist's information security goals. The Security Architect collaborates with Information Security and Software Development, communicating and implementing enterprise security architecture roadmaps. The security architecture team manages a variety of programs and uses various methods of collaboration with leadership and security teams responsible for operations, services, cloud and all other Sharpist business units. Procedure:
Sharpist maintains high standards of ethical business conduct at every level of the organization at which Sharpist does business. These apply to Sharpist employees and contractors and address legal and regulatory compliance, business conduct and relationships and are set forth in the Sharpist Compliance Policy.
Sharpist places a high priority on Human Resources Security. The company continuously implements initiatives to help minimize risks associated with human error, theft, fraud and misuse of facilities, including personnel screening, confidentiality agreements, security awareness education and training, and enforcement of disciplinary actions.
Pre-employment background checks and interviews for newly hired personnel are conducted according to Sharpist policies.
Sharpist employees are required to maintain the confidentiality of customer information. Employees must sign a confidentiality agreement and comply with the company's policy on protecting confidential information as part of their original terms and conditions of employment. Sharpist obtains a written confidentiality agreement from each subcontractor before that subcontractor provides services.
Sharpist promotes security awareness and trains employees on a regular basis. Each employee is required to complete information security training upon hire and annually thereafter. This training educates employees about their obligations under Sharpist's privacy and security policies and principles.
Periodically, security reviews, assessments and audits are conducted to confirm compliance with Sharpist's information security policies, procedures and practices. Employees who fail to comply with these policies, procedures and policies may be subject to disciplinary action, up to and including termination of employment.
Sharpist's Acceptable Use Policy provides guidance to all Sharpist employees and business partners regarding information classification schemes and the minimum handling requirements associated with those classifications. Sharpist categorizes confidential information into four classes - public, internal, confidential, and strictly confidential - with each classification requiring appropriate security measures, such as encryption requirements for data classified as confidential or strictly confidential.
During Sharpist's mandatory training, employees are informed about the company's data protection policy. This training will also include the employees understanding of the classification. Employees must complete this training when they join Sharpist and repeat it periodically thereafter.
The development and maintenance of an accurate system inventory is a necessary element for effective overall information system management and operational reliability. Sharpist's Asset Management Policy requires that an accurate and up-to-date inventory be maintained for all information systems that contain critical and highly critical information assets in Sharpist infrastructures.
The required technical and business information falls into the following categories:
Access control refers to the policies, procedures, and tools that govern access to and use of resources.
Examples of resources include a physical server, a file, a directory, a service running on an operating system, a table in a database, or a network protocol.
The Sharpist Access Control Policy applies to access control decisions for all Sharpist employees and all information processing facilities for which Sharpist has administrative authority. This policy does not apply to publicly accessible Internet-facing Sharpist systems or end users.
Authorization depends on successful authentication, as control of access to certain resources depends on establishing the identity of an entity or person. All Sharpist authorization decisions for granting, approving, and verifying access are based on the following principles:
Sharpist enforces strong password policies for the Sharpist network, operating system, and database accounts to reduce the chances of intruders gaining access to systems or environments by exploiting user accounts and associated passwords.
Sharpist regularly reviews network and operating system accounts with respect to appropriate employee access levels. In the event of employee terminations, deaths or resignations, Sharpist will take appropriate action to immediately terminate network, telephony and physical access.
The use of passwords is covered in Sharpist Policy for Passwords. Sharpist employees are required to follow rules for password length and complexity and to keep their passwords confidential and secure at all times. Passwords may not be disclosed to unauthorized individuals. Under certain circumstances, authorized Sharpist employees may share passwords for the purpose of providing support services.
Sharpist has implemented and maintains strong network measures to ensure the protection and control of customer data as it is transferred from one end system to another. Sharpist's Access Control Policy states that endpoints connected to the Sharpist network must meet well-established standards for security, configuration, and access method.
For administration of network security and network management devices, Sharpist requires IT personnel to use secure protocols with authentication, authorization, and strong encryption. Network devices must be located in an environment protected and with physical access controls and other standards for physical security measures. Communications to and from the Sharpist enterprise network must pass through network security devices at the border of the internal Sharpist enterprise network. Access to the Sharpist corporate network by suppliers and third parties is subject to limitations and prior approval per Sharpists Network Access Policy..
Network devices must be registered in a Sharpist approved information system inventory in accordance with Sharpist policy. This policy requires accurate inventory and documented ownership of all information systems that process critical and highly critical information assets throughout their lifecycle using an approved inventory system.
The Sharpist Security Policy governs the deployment and use of wireless networks and connectivity for accessing the Sharpist enterprise network. Sharpist manages wireless networks and monitors unauthorized wireless networks.
Sharpist's Information Asset Classification determines the enterprise's data security requirements for Sharpist - managed systems. Sharpist policies and standards provide guidance on appropriate measures to protect the confidentiality, integrity, and availability of enterprise data in accordance with the data classification. The required mechanisms are designed to be consistent with the type of enterprise data being protected. For example, security requirements are higher for sensitive or valuable data such as cloud systems, source code, and employment records. Security measures Sharpist can be divided into three categories: administrative, physical and technical security measures.
The Sharpist policy mandates the use of antivirus, IPS (intrusion prevention system), and firewall software on endpoints - to the extent possible. In addition, automated security updates and virus signature updates must be enabled on all endpoints. Endpoints that process Sharpist or customer data will be encrypted with approved software.
Sharpist employees must follow Sharpist email instructions and are responsible for immediately reporting to the Sharpist employee help desk any virus or suspected virus infestation that cannot be remedied by anti-virus software. Employees are prohibited from modifying, disabling, or removing antivirus software and the security update service from any terminal device. Sharpist employees who violate this standard may be subject to disciplinary action, up to and including termination of employment.
To protect sensitive Sharpist information, Sharpist employees must install Sharpist-approved encryption software on their endpoints.
Sharpist deploys a mobile device management solution to protect data on employee-operated mobile devices. These solutions support all major mobile device operating systems and platforms. Sharpist's IT and security organizations regularly promote mobile device security awareness and best practices.
Sharpist has implemented the following protocols:
Sharpist's systems run in data centers that help protect the security and availability of customer data. This approach begins with Sharpist's site selection process. Sharpist systems house and use redundant power sources and maintain generator backups in case of widespread power outages. They are closely monitored for air temperature and humidity, and fire suppression systems are in place. Data center personnel are trained in incident response and escalation procedures to respond to potential security and availability events.
Sharpist security programs are designed to protect the confidentiality, integrity, and availability of both Sharpist and customer data. Sharpist continually works to strengthen and improve the company's security measures and practices for its internal operations and services.
Sharpist has formal requirements for the use of the Sharpist corporate network, computer systems, telephony systems, messaging technologies, Internet access, and other corporate resources available to Sharpist employees and contractors.
Communications to and from the Sharpist corporate network must be routed through network security devices at the network boundary.
Sharpist enforces clearly defined roles that allow segregation of duties among operations personnel. Operations is organized into functional groups, with each function performed by separate groups of employees. Examples of functional groups include database administrators, system administrators, and network engineers.
Sharpist logs certain security-related activities on operating systems, applications, databases and network devices. Systems are configured to log access to Sharpist programs as well as system warnings, console messages, and system errors. Sharpist implements controls designed to protect against operational problems, failure to record events, and/or log overwriting. Sharpist reviews logs for forensic purposes and incidents and identifies anomalous activity that feeds into the security incident management process. Access to security logs is granted on a need-to-know and least privilege basis. When possible, log files are protected by strong cryptography in addition to other security controls, and access is monitored. Logs generated by systems that are accessible via the Internet are moved to systems that are not accessible via the Internet.
Sharpist's inventory management for information systems requires an accurate inventory of all information systems and devices that contain critical and highly critical information assets throughout their lifecycle via a Sharpist inventory system. This policy defines the required identification attributes to be recorded for server hardware, software, data held on information systems, and information needed for disaster recovery and business continuity purposes.
Sharpist manages enterprise solutions for collaboration and communication within Sharpist and with external parties. Sharpist's policies require that employees use these approved corporate tools when handling confidential information. Sharpist has defined standards for secure information exchange with suppliers and other third parties.
Sharpist customers rely on Sharpist solutions to protect their data. Sharpist takes great care in the development of its systems. Sharpist has formal policies and procedures in place to ensure the security of its supply chain. These policies and procedures explain how Sharpist selects third-party vendors to embed into Sharpist systems. Sharpist also has formal requirements for its suppliers and partners to confirm that they will protect the data and assets of Sharpist and third parties entrusted to them.
Sharpist's supply chain risk management practices focus on quality, availability, continuity of supply and resilience in Sharpist's direct supply chain, as well as authenticity and security Sharpist platform and services. Other securtiy processes focus on security and product protection during transportation, shipping and storage.
You can find more information on data protection at https://sharpist.com/legals/privacy-policy/.
Following recommended practices in common security standards issued by the International Organization for Standardization (ISO) and other industry sources, Sharpist has implemented a variety of preventive, detective, and corrective security measures with the goal of protecting information assets.
Sharpist network protections include solutions to ensure service continuity and defend against denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. Events are analyzed using signature detection, which is a pattern matching of environment settings and user activity against a database of known attacks. Sharpist updates the signature database frequently.
Sharpist evaluates and responds to incidents that raise suspicion of unauthorized access to or handling of customer data, whether the data resides on Sharpist hardware assets or on the personal hardware assets of Sharpist employees. Sharpist's Information Security Incident Handling Policy defines incident reporting and response requirements. This policy authorizes the Information Security Team to serve as the primary point of contact for security incident response and to provide overall direction for incident prevention, identification, investigation, and resolution. Corporate requirements for incident response programs and response teams are defined per incident type:
Upon discovery of an incident, Sharpist defines an incident response plan for rapid and effective incident investigation, response, and recovery. Root cause analysis is performed to identify opportunities for appropriate actions to improve the security posture and defense in detail. Formal procedures and centralized systems are used to gather information and maintain a chain of evidence during the investigation of an incident. Sharpist is able to support legally permissible forensic data collection as needed.
In the event that Sharpist determines that a security incident has occurred, Sharpist will immediately notify all affected customers or other third parties in accordance with its contractual and legal obligations. Information about malicious attempts or suspected incidents is confidential to Sharpist and will not be disclosed to outside parties. Incident history is also Sharpist confidential and will also not be shared externally.
The Sharpist Business Continuity Management policy defines requirements and standards on business interruption events. It also establishes the functional roles and responsibilities required to establish, maintain, test, and evaluate the business continuity capability for Sharpist across business units and locations. It defines the responsibilities for monitoring compliance with the program.