Information Security Policy

Purpose

Purpose ir to provide an Information Security Management System framework for information security assurance at the EClaims company to reduce the Information Security Risks to an acceptable Risk level, maximize return on investments and business opportunities.

Board ensures that Policy implementation and continuous improvement will be supported with adequate resources to achieve all objectives set in this Policy and to satisfy the requirements of compliance with ISO/IEC 27001:2022(E).

Objective

All Information Assets and Systems are identified, related risks are understood and treated to ensure confidentiality, integrity and availability of information, and delivery of services.

Regular Information Security event detection and incident response activities are in place and well known to the related parties.

Scope

This Policy applies to all Employees and Third parties who are authorized to access the Information Assets and Systems.

Information Security Principles

Information Assets and Systems. All Information Assets and Systems are identified, and appropriate protection responsibilities are defined to owners and users. The Information Asset Owners must ensure that assets and systems are inventoried, appropriately classified, and protected, review access rights annually, and ensure proper handling when information asset or system is deleted or destroyed. The users are responsible for their use of any information asset or system and any such use carried out under their responsibility.

Risk Management. Information Security Risk Assessment must be performed annually or when significant changes are proposed or occur. Identified Information Security Risks must be reduced to an acceptable Risk Level taking cost and efficiency into consideration.

Information Security Awareness, Education, and Training. Information security culture must be developed in the Corporate Group for all Employees to understand the Information Security Risks, and the importance and requirements of Information Security. All Employees and, where relevant, Third parties must receive appropriate awareness education and training. Regular updates on Information Security requirements that are relevant for their job function must be provided to the Employees and Third parties.

Security by Design. Information Security must be implemented throughout the development lifecycle of software and information systems.

Compliance. All relevant legislative statutory, regulatory, and contractual requirements of ISO/IEC 27001:2022(E) standards are identified and met.

Relationship with Third parties. Information Security requirements for mitigating the risks associated with the Third parties’ access to the Information Assets and Systems must be agreed upon and, if necessary, included in the contracts.

Information Security Incident and Vulnerability Management. Information security incidents must be managed in a consistent and effective way. Information about technical vulnerabilities of the information systems being used must be obtained in a timely fashion, the Corporate Group’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risks.

Roles and Responsibilities

Board establishes the directions, objectives, and principles for the assurance of Information Security within the EClaims Group.

Information Security Team is responsible for developing and implementing a EClaims Group wide Information Security Program, documenting, disseminating this Policy and Related Policies, controlling their implementation, organizing identification of Information Security Risks of the EClaims Group.

Employees are responsible for protecting the Information Assets and Systems from unauthorized access and use.

Policy review and update

The Policy and all Related Policies must be reviewed at least once a year and updated when necessary.

The Policy and Related Policies must be consistent with the strategic objectives and the Priority activities of the Corporate Group, the ISO/IEC 27001:2022(E) requirements and global best practices of Information Security.